ColdFusion exploitation skills

After disappearing for a while, I began to write a blog from today, not just to record these subtle methods, so as not to forget them.

ColdFusion is a dynamic Web server. Its CFML (ColdFusion Markup Language) is a programming language, similar to the current JavaServer.
Jstl (JSP standard tag Lib) in page, which was developed since 1995, has been regarded as an advanced design concept and used for reference by some languages.

I need to see a ColdFusion server at work. I never did. I thought that the configuration file like PHP was directly written in the script file. I rummaged the whole site and did not find the database connection file, fruitless. Looking for information to find out how disgusting This web server is.

My experiences are as follows:

1. Verify the password on the Administrator page
Is placed in X: \ coldfusion8 \ Lib \ Password. Properties
If sha1 is used for encryption, it can be thrown to dig 5 and broken directly.
If the password cannot be broken, go to index. cfm In the Administrator directory and write the code to hijack the password.
Because the logon page is directly transmitted to the background using Hash (password ).
Therefore, code hijacking can only be performed during logon.
 
 
2. Verify the bypass administrator page
Find x: \ coldfusion8 \ Lib \ neo-security.xml
Set Admin. Security. enabled to false.
Then restart the service.
Net stop "ColdFusion 8 Application Server" (not mentioned in the paper of the service name Mickey)
Net start "ColdFusion 8 Application Server"
Login to the Administrator page does not require password verification.
(I personally feel that bypass is not necessary.
First, you must restart the service either by fully controlling the server or by initiating a request under webshell. You have the permission to restart the service.
Now that you have the permission to restart the service, you can directly access sensitive files without having to log on to the background.
For example, if you have the permission to access the neo-security.xml, you can actually access the neo-datasource.xml.
The connection information of all databases can be captured directly. Of course, the layout should be neat in the background)
 
 
 
3. database connection information (including the database password but encrypted)
Is placed in X: \ coldfusion8 \ Lib \ neo-datasource.xml
Database Password is first used 3DES E-D-E mode Encryption
The encrypted keys are all 0yj! @ 1 $ r8p0l @ R1 $ 6yj! @ 1rj
(I thought the keys on each server were different. Later I verified that all keys were the same)
Encode the encrypted result with base64
The result is similar to + 6 gmkhmdjiy =.
You can use the bash command to decrypt the data.
The bash command is as follows:
 
Echo string to be decrypted | OpenSSL des-ede3-a-d-K 30794a21403124723870304c4072312436794a214031726a-IV 30794a2140312472; echo

In fact, there is also a simpler method for password cracking. Many CFM big horses integrate this function, and I accidentally turn to the footprints of my predecessors on the server, so I quickly put it into my own weapons library. It is inconvenient to upload. You need to leave a mailbox.