ColdFusion for Pentesters Chris Gates Carnal0wnage Lares Consulting
• inurl:/index.cfm Finding Sites Running ColdFusion
• CFM Shells • Sky’s the limit! • Pretty much anything you can code in Java, CF will run for you • ColdFusion 9 and above support cfscript == javascri
• http://www.petefreitag.com/ lots of defense/CF hardening info • http://www.bennadel.com/blog/ • http://www.raymondcamden.com/ http://12robots.com/
Questions? @carnal0wnage cgates [] laresconsulting[] com Chris Gates
• Who doesn’t love Google Dorks… • filetype:cfm "cfapplication name" password • inurl:login.cfm • intitle:"Error Occurred" "
• inurl:/CFIDE/componentutils/ Finding Sites Running ColdFusion
• inurl:/CFIDE/componentutils/ (Find misconfigured servers) Finding Sites Running ColdFusion
• http://www.gotcfm.com/thelist.cfm Finding Sites Running ColdFusion
• Delicious Finding Sites Running ColdFusion
• ColdFusion 5 ColdFusion Hit list
• ColdFusion 6 ColdFusion Hit list
• ColdFusion 7 ColdFusion Hit list
• ColdFusion 8 ColdFusion Hit list
• Chris Gates (CG) – Twitter carnal0wnage – Blog carnal0wnage.attackresearch.com – Job Partner/Principal Security Consultant at Lares – Affiliation
• ColdFusion 9 ColdFusion Hit list
• ColdFusion 10 ColdFusion Hit list
• Metasploit Module to find ColdFusion URLs ColdFusion Scanner
• Metasploit Module to find ColdFusion URLs ColdFusion Scanner
• http://www.cvedetails.com/version-list/53/8739/1/Adobe-Coldfusion.html Attacking ColdFusion
• Common Vulnerabilities – Information Disclosure – XSS – SQL Injection – Admin Interfaces Exposed (more later) Attacking ColdFusion
• Information Disclosure • Need to determine standard vs Enterprise ColdFusion? * • Just request a .jsp page – Standard versions don’t do JSP and will
• Enterprise Attacking ColdFusion
• Standard Attacking ColdFusion
• Information Disclosure Attacking ColdFusion
• What is ColdFusion • Who uses ColdFusion • Finding sites running ColdFusion • Attacking ColdFusion – Common vulnerabilities – Insta-Shell – Gotta wo
Attacking ColdFusion
Attacking ColdFusion
Attacking ColdFusion
Attacking ColdFusion
• XSS • Generally XSS is boring, but wait until we talk about cookies…. • ColdFusion has scriptProtect helps strip out <script> tags • The black
• XSS Attacking ColdFusion
• XSS Attacking ColdFusion
• SQL Injection • If you see =somenumber go after it <cfquery name="getContent" dataSource="myDataSource"> select title fro
• SQL Injection • http://site.com/links/apply.cfm?id=(@@version) Attacking ColdFusion
• Insta-Shell • BlazeDS/AMF External XML Entity Injection (CVE-2009-3960) • File Upload Vulnerability in CF8 FCKeditor (APSB09-09) • ‘locale’ Path Tra
• Kept running into ColdFusion on pentests • Last “pentester” talk on ColdFusion was 2006 at EUSec – http://eusecwest.com/esw06/esw06-davis.pdf • Chr
• Patching – ColdFusion requires manual patching, unzip in folder, overwrite a jar, etc – Admin interface doesn’t alert you to available patches – I’
• Pro Tip • Determining version is helpful for insta-shell exploits • Metasploit module can tell you by admin interface, or you can just look at CFIDE
• Or you can check the wsdl • /CFIDE/adminapi/base.cfc?wsdl – Checked on 7-9 Attacking ColdFusion
Attacking ColdFusion
Attacking ColdFusion
• BlazeDS/AMF External XML Entity Injection – Advisory pdf: http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XM
• BlazeDS/AMF External XML Entity Injection • http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_Extern
Attacking ColdFusion • BlazeDS/AMF External XML Entity Injection
Attacking ColdFusion • FCKeditor (apsb09-09) • ColdFusion 8.01 enabled the ColdFusion FCKeditor connector && FCKeditor vulns == unauth fileupl
Attacking ColdFusion • (related) FCKeditor (CVE 2009-2265) input sanitization issues • FCKeditor prior to 2.6.4.1 • Can also check version with a GET
• CFML = ColdFusion Markup Language • ColdFusion = Adobe’s product that handles CFML page/libs – Runs on Windows, Solaris, HP/UX and Linux – Apache,
Attacking ColdFusion • “Locale” Directory Traversal • Full walkthru here: • http://www.gnucitizen.org/blog/coldfusion-directory-traversal-
Attacking ColdFusion • http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/ • TL;DR – You can pass the hash • Mod
Attacking ColdFusion • “Locale” Directory Traversal • Vulnerable Versions: • ColdFusion MX6 6.1 base patches ColdFusion MX7 7,0,0,91690 base patches
Attacking ColdFusion • “Locale” Directory Traversal • ColdFusion 7 is always vuln, no patch
Attacking ColdFusion • Yeah, CF 8 too (has patch)
Attacking ColdFusion • Problem with traversal exploit, is you need to know full path. • Manageable on Windows… • Can be anywhere on *nix – Cue path di
Attacking ColdFusion • Componentutils (Component cfcexplorer) • Documentation for functions, includes full paths
• Gotta work for it… • Brute Force RDS Access (If Enabled) – Check if RDS is enabled – Brute force RDS • Brute Force Admin Interfaces – Main login p
• RDS = Remote Development Services • “In ColdFusion Studio/Builder/Eclipse, you can connect to and work with the files on any server that has ColdFus
• RDS Attacking ColdFusion
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf Who Uses ColdFusion?
• RDS Attacking ColdFusion
• RDS Attacking ColdFusion
• Admin Interfaces • Prior to CF8 only password auth, CF 8 introduces usernames • Easy to tell if just “admin” or other usernames Attacking ColdFusion
Attacking ColdFusion
Attacking ColdFusion
• Admin Interfaces • /CFIDE/administrator/index.cfm salts the password Attacking ColdFusion
• Lots of other pages don’t • Ex. /CFIDE/componentutils/login.cfm Attacking ColdFusion
• Get the password right, CF sets a cookie Attacking ColdFusion
• Metasploit Module • Can do this easily in Burp Suite as well Attacking ColdFusion
Your passwords suck
http://wwwimages.adobe.com/www.adobe.com/content/dam/Adobe/en/products/coldfusion/pdfs/cf-evangelist-kit.pdf Who Uses ColdFusion?
• Other Stuff • Solr • Interacting with CFC’s • Cookies Attacking ColdFusion
• Solr APSB10-04 (Information Disclosure) – “Vulnerability in Solr could allow access to collections created by the Solr Service to be accessed from
• Solr APSB10-04 (Information Disclosure) Attacking ColdFusion
• Interacting with CFC’s http://example.com/foo.cfc?method=mymethod&arga=val1&argb=val2 • This URL will invoke method mymethod on an anonymous
• Cookies • Normally that XSS pop up with the session cookie is pretty lame. • “Supposed” to have a limited lifespan. • BUT cfadmin cookie and cfutils
• Example Admin Cookie: CFAUTHORIZATION_cfadmin=YWRtaW4NRTM4QUQyMTQ5NDNEQUFEMUQ2NEMxMDJGQUVDMjlERTRBRkU5REEzRA1jZmFkbWlu • Base64Decodes to: – admin –
• To Recap… • Got the cfadmin cookie • No randomness at all in the cookie • SSL not enabled by default on admin interface • Cookie base64 decodes to t
• CFAUTHORIZATION_componentutils=cGFzc3dvcmQxDXBhc3N3b3JkMQ1jb21wb25lbnR1dGlscw== • Base64Decodes to: – password1 – password1 – componentutils • OMGW
• But real world? Attacking ColdFusion
Who Uses ColdFusion? http://www.bricecheddarn.com/blog/post.cfm/universities-love-using-coldfusion
• But real world? Attacking ColdFusion
• From 2009 to 2012… Attacking ColdFusion
• ColdFusion Privilege Level • Scheduling tasks • Executing code • Decrypting database credentials • CFM Shells Post Exploitation
• ColdFusion (by default) runs as SYSTEM on Windows and NOBODY ON *nix • Obviously, CF on Windows is what you want • Sites that run other languages t
• Scheduling Tasks • Once you have access to admin interface you can schedule a task to download code/executables/ bat files/etc Post Exploitation
Post Exploitation
• Executing code • Once you have code/exe on box you can create a system probe (that we want to fail) to make the code execute • Or if you put cfm/jsp
Post Exploitation
Post Exploitation
Post Exploitation
http://www.getmura.com/index.cfm/overview/who-uses-mura/ Who Uses ColdFusion [MURA CMS]?
• Decrypting database credentials • http://hexale.blogspot.com/2008/07/how-to-decrypt-coldfusion-datasource.html Post Exploitation
• Go to DataSource Selection Post Exploitation
• Click on DataSource (ex TEST) Post Exploitation
• View Source, get value Post Exploitation
• Decrypt it $ python coldfusiondecrypt.py maJsuHYMay8zpmptC2yibA== Coldfusion v7 y v8 DataSource password decryptor (c) 2008 Hernan Ochoa (hernan@gm
• If you have file system access, just grab the XML files • Coldfusion 7: \lib\neo-query.xml for example: c:\CFusionMX7\lib\neo-query.xml • Coldfusi
• CFM Shells • ColdFusion has several handy CFML tags: – CFEXECUTE – CFREGISTRY – CFFILE – CFHTTP Simple CFM Shell: <html> <body> <cfe
• CFM Shells • Its common to disable CFEXECUTE* • CF also runs java so: <cfset runtime = createObject("java", "java.lang.System"
Post Exploitation
• CFM Shells • Remember Enterprise vs Standard? – Enterprise runs jsp, so some jsp shells will work too (depends on the shell’s java version requireme
Kommentare zu diesen Handbüchern