Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Coldfusion ckeditor file upload #11206
New pull request from an unique branch (coldfusion_ckeditor_file_upload) as requested.
This module exploit the unrestricted file upload flaw in the Adobe ColdFusion CKEditor, affecting ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release). The vulnerabilty goes by CVE-2018-15961.
The exploitation is pretty basic, a JSP payload is uploaded through a single unauthenticated POST request and executed through a following unauthenticated GET request.
This module was successfully tested against a Linux Adobe ColdFusion 2018 installation using the docker container provided by Adobe (https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0).
msf > use exploit/multi/http/coldfusion_ckeditor_file_upload
 Started reverse TCP handler on 172.17.0.1:4444
Should be working on Windows and Adobe 2016 as the URL used do not change but not tested.
referenced this pull request
Jan 6, 2019
Jan 10, 2019
The exploit/multi/http/coldfusion_ckeditor_file_upload module exploits an unauthenticated file upload vulnerability in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and ColdFusion 2018 (July 12 release) to upload and execute JSP files.