ColdFusion Exploit. How to turn down big sites.

Hello guyz.A fine weekend is here. So I am gonna share my weekend special experiment with you. Today we are going to exploit coldfusion.  A lot many government and military websites that use this software, but only about 15% are vulnerable.

What is Adobe ColdFusion?

ColdFusion is a commercial rapid web application development platform invented by Jeremy and JJ Allaire in 1995. (The programming language used with that platform is also commonly called ColdFusion, though is more accurately known as CFML.) ColdFusion was originally designed to make it easier to connect simple HTML pages to a database. By Version 2 (1996), it had become a full platform that included an IDE in addition to a “full” scripting language. As of 2010, versions of ColdFusion (purchased by Adobe Systems in 2005) include advanced features for enterprise integration and development of rich Internet applications.

Requirements:

  • A vpn connection. TOR not recommended
  • Tamper Data – Firefox (Tor) Plugin

This is extremely easy by the use of the “ext” google dork:
Code:
ext:cfm

Testing to see it’s vulnerable:
The way we test to see if the site’s vulnerable, is by first going to the admin panel. So, for example, if we have the following URL:
Code:
http://site/random/directories/shit/lol/document.cfm

We would then go to:
Code: Login to read more

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *