CFM类型的站点,上传漏洞,和SQL注入都是比较经典的方式。 非常好。但是比较BT的CFM整站程序,会把上传目录都弄成不可执行。 CFM漏洞的网站代码,可以参考我以前公布的漏洞整站程序。
------------------ tombook 2008-07-15 ------------------------------------------------------------- 发件人:baicker 发送日期:2008-07-15 10:15:22 收件人:ph4nt0m 抄送: 主题:[Ph4nt0m] Re: [zz] Attacking ColdFusion. cfm的很少,以前搞过,还特意翻文档写了个webshell,都忘了,只记得webshell是system的比较爽 2008/7/14 大风 <[EMAIL PROTECTED]>: > > > *Abstract* > > ColdFusion is an application server and software development framework used > for the development of web-based applications[1]. ColdFusion is a similar > product to Microsoft ASP.NET, JavaServer Pages or PHP. It's syntax is > tag-based, and almost resembles HTML or XML like-structure which is very > easy to learn and can be quickly adopted by web designers, to create > database driven applications without much knowledge of programming. Since > ColdFusion isn't very well known by many, as an end result, there are very > few published hacks for them. This article goes deeper into ColdFusion and > it's limitations and vulnerabilities that attackers can exploit. I mainly > focus on the inner workings of ColdFusion, SQL Injection and information > gathering. I can't really give an explanation why ColdFusion isn't very well > researched by the security industry, but my hunch is that many believe that > few websites use it. I worked with ColdFusion a few times back in 2002, and > their user base has explosively grown since then. According to a Google > query[2][3] learns that at least 500 million pages run ColdFusion on either > standalone, IIS, Apache, or on Solaris. Since ColdFusion has a huge user > base by now, It is inevitable that it will become an interesting landscape > for attack and caution. > > *CFM Extensions.* > > The ColdFusion extension mappings we can use to locate CFM servers or > appliances are: > > .cfm, .cfml, .cfc, .cfswf, .cfr, .jsp, and .jws > > > *Used ports.* > > By default, the web server runs on port 8500, and on old versions of CF it > can run on 1433. However if port 8500 is in use ColdFusion will use another > port, depending on what service uses port 8500, like ColdFusion MX, > ColdFusion MX 6.1, or ColdFusion MX. It can be located between port 8500 to > 8600. With this knowledge you can determine whether ColdFusion is the only > service installed, or that more ColdFusion services are installed. But this > only works when ColdFusion itself is the default server, if IIS or Apache in > running, the default port will be 8500. Administrators can change the port > being used by ColdFusion. To change the port number, they must edit > jrun.xml, located in: > > Windows: cf_root\runtime\servers\coldfusion\SERVER-INF > > UNIX: cf_root/runtime/servers/coldfusion/SERVER-INF > > > If JRun is present on a multi-server installation it will be located on > port 8300. If in use, it will be using a port between 8300 and 8400, usually > incrementing with one, so 8300 and 8301 are often fair guesses to determine > a multi-server installation. > > *Administration.* > > What is curious about ColdFusion regarding administration access, is that > you only have to enter a password if you need to login. This has been the > case since ColdFusion came to be, and still remains their way of securing > access. The password submitted gets encrypted before submitting the form. A > hex_hmac_sha1 is used to cipher a hidden field salt with the entered > password. The hidden salt is somewhat silly designed, because it's actually > a UNIX time stamp: 1215849484281 with a number appended to it on the end. In > old CF versions there is no password set and you can login by leaving the > password field empty. But in most cases the password is the password entered > by the administrator upon installation. -which should be forbidden by law > IMHO- > > The default location for the ColdFusion Administrator login pages are: > > http://servername[:8500]/CFIDE/administrator/index.cfm > > > > In multi-server mode the location can be: > > > > http://servername[:8300]/CFIDE/administrator/index.cfm > > > *ColdFusion Markup Language (CFML)* > > Request variable > > <cfset Request.field_name1 = "value"> > > <cfoutput>#Request.field_name1#</cfoutput> > > > Client variables to tamper with. > > Request.somename > > Form.somename > > HTTP_REFERER > > HTTP_USER_AGENT > > Cookies > > > CF queries are using the so-called param tags that can receive user > supplied data through a query string or a form. > > <cfquery > > name = "query name" > > dataSource = "data source name" > > ...other attributes... > > SQL STATEMENT column_name = > > <cfqueryparam value = "parameter value" > > CFSQLType = "parameter type" > > list = "yes|no" > > maxLength = "maximum parameter length" > > null = "yes|no" > > scale = "number of decimal places" > > separator = "separator character"> > > AND/OR ...additional criteria of the WHERE clause...> > > </cfquery> > > > The cfqueryparam is generally secure because it utilizes a prepared > statement, that is always binded as a string, which in term is nearly not > exploitable. But, many ColdFusion applications do not use the cfqueryparam > mainly because developers do not know about this, and also because this > feature came only in to being, with later versions of ColdFusion. Let's go > into what many CF developers generally are using instead, and how we can > exploit it. > > *CF Database Query and CF SQL Injection.* > > The first thing we could try to successfully utilize SQL injection in > ColdFusion, is to try to inject integer queries. This is important, because > it allows us to inject a vector that doesn't need single quotes. However, > even single quote escaping in ColdFusion is also flawed as I explain later. > When we inject a vector into an expected integer we can easily bypass > security. For example: > > <cfquery> > > SELECT * FROM USERS WHERE user_id = #Request.user_id# > > </cfquery> > > > When we inject the user_id param, the query becomes like this: > > <cfquery> > > SELECT * FROM USERS WHERE user_id = 1 UNION SELECT password AS USERNAME FROM > USERS > > </cfquery> > > > One big mistake in the ColdFusion architecture, is how Adobe forgot how > MySQL escapes characters. ColdFusion escapes all single quotes by default > with another single quote. You can call this a 'magic quote' behavior > similar found in PHP. But, This method of injecting ColdFusion on MySQL is > based upon the idea that in MySQL we can use a backslash to escape a single > quote. Problem with ColdFusion is, that it adds another single quote while > MySQL sees the already escaped single quote, and thereby successfully > executes our injected query. For example: > > <cfset str = " \' OR 1=1-- "/> > > <cfquery>SELECT * FROM USERS WHERE name = '#str#'</cfquery> > > > *This becomes:* > > SELECT * FROM USERS WHERE name = '\'' OR 1 = 1 --' > > > Which is a valid CF SQL injection through MySQL. > > One of the most dangerous functions is the preserveSingleQuotes() function. > When this function is used, single quotes are no longer escaped. Leaving the > application totally unprotected on every platform. For example: > > <cfset str = "INSERT INTO CMS (uid, txt, date_dubmitted) Values (#form.id#, > '#form.txt#','#form.date_submitted#')"> > > <cfquery> > > #PreserveSingleQuotes(str)# > > </cfquery> > > > *Another example:* > > <cfset str= "SELECT * FROM USERS WHERE username = '#form.username#'"/> > > <cfquery> > > #preserveSingleQuotes(str)# > > </cfquery> > > > Also it can be used in a database output: > > <cfquery sql = "SELECT * FROM USERS WHERE NAME IN > (#preserveSingleQuotes(list_id)#)"> > > > If you want to protect your CF applications, here is a way to write a safe > database query that makes use of the correct CFQUERYPARAM with the right > data-type flags. > > Login Form: > > <cflogin> > > <cfif NOT IsDefined("cflogin")> > > <cfinclude template="loginform.cfm"> > > <cfabort> > > <cfelse> > > <cfif cflogin.name eq "admin"> > > <cfset roles = "user,admin"> > > <cfelse> > > <cfset roles = "user"> > > </cfif> > > <cfloginuser name = "#cflogin.name#" password = "#cflogin.password#" > > roles = "#roles#"/> > > </cfif> > > </cflogin> > > > Process: > > <cfquery name="qSecurity" > > datasource="UserRolesDb"> > > SELECT Roles FROM SecurityRoles > > WHERE username=<cfqueryparam value='#cflogin.name#' > CFSQLTYPE="CF_SQL_VARCHAR" > > AND password=<cfqueryparam value='#cflogin.password#' > CFSQLTYPE='CF_SQL_VARCHAR' > > </cfquery> > > > > <cfif qSecurity.recordcount gt 0> > > <cfloginuser name = "#cflogin.name#" > > password = "#cflogin.password#" > > roles = "#trim(qSecurity.Roles)#" > > > </cfif> > > > *Information disclosure.* > > As we know, error messages are important. Especially error messages > generated by database software we want to inject. This, is useful for > obtaining information about table structures that can be a real time-saver > for attackers. If the right information is available, attackers do not have > to guess database tables and fields anymore, nor having to brute force them. > Here is a snapshot of an actual error message generated by ColdFusion. I > have never seen so much information regarding the site's structure, used > database, table names, drivers, server setup and other information useful > for attackers that those of ColdFusion. > > It almost says: Please Hack Me! > > Error Executing Database Query. > > [Macromedia][SQLServer JDBC Driver][SQLServer]Line 8: Incorrect syntax near > ''. > > > > The error occurred in > D:\JRun4\servers\Cfusion_Medium\cfusion-ear\cfusion-war\CFdata\xxxx.cfm: line > 11 > > > > 9 : LEFT JOIN VAKGEBIED ON ORGANISATIES.VAKGEBCD=VAKGEBIED.VAKGEBCD > > 10 : LEFT JOIN LAND ON ORGANISATIES.O1LNDCD=LAND.LNDCD > > 11 : WHERE organisatie.orgid=#orgid#; > > 12 : </CFQUERY> > > 13 : > > > > SQL SELECT * FROM ORGANISATIES RIGHT JOIN organisatie on > ORGANISATIES.ORGID=organisatie.orgid LEFT JOIN SOORT_ORGANISATIE ON > > > > ORGANISATIES.SOORTORGCD=SOORT_ORGANISATIE.SOORTORGCD LEFT JOIN ACRONIEM ON > ORGANISATIES.ACRCD=ACRONIEM.ACRCD LEFT JOIN VAKGEBIED ON > > > > ORGANISATIES.VAKGEBCD=VAKGEBIED.VAKGEBCD LEFT JOIN LAND ON > ORGANISATIES.O1LNDCD=LAND.LNDCD WHERE organisatie.orgid=3''; > > DATASOURCE datastorexxx > > VENDORERRORCODE 170 > > SQLSTATE HY000 > > Resources: > > > > * Check the ColdFusion documentation to verify that you are using the > correct syntax. > > * Search the Knowledge Base to find a solution to your problem. > > > > Browser Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9) > Gecko/2006052906 Firefox/1.0 > > Remote Address xxx.xxx.xxx.xxx > > Referrer > > Date/Time 07-jul-08 00:33 PM > > Stack Trace > > at > xxxx.runPage(D:\JRun4\servers\Cfusion_Medium\cfusion-ear\cfusion-war\CFdata\xxxx.cfm:11) > at > > > > xxxx.runPage(D:\JRun4\servers\Cfusion_Medium\cfusion-ear\cfusion-war\CFdata\xxxx.cfm:11) > > > > java.sql.SQLException: [Macromedia][SQLServer JDBC Driver][SQLServer]Line 8: > Incorrect syntax near ''. > > at macromedia.jdbc.base.BaseExceptions.createException(Unknown Source) > > at macromedia.jdbc.base.BaseExceptions.getException(Unknown Source) > > at macromedia.jdbc.sqlserver.tds.TDSRequest.processErrorToken(Unknown > Source) > > at macromedia.jdbc.sqlserver.tds.TDSRequest.processReplyToken(Unknown > Source) > > at macromedia.jdbc.sqlserver.tds.TDSRequest.processReply(Unknown > Source) > > at > macromedia.jdbc.sqlserver.SQLServerImplStatement.getNextResultType(Unknown > Source) > > at macromedia.jdbc.base.BaseStatement.commonTransitionToState(Unknown > Source) > > at macromedia.jdbc.base.BaseStatement.postImplExecute(Unknown Source) > > at macromedia.jdbc.base.BaseStatement.commonExecute(Unknown Source) > > at macromedia.jdbc.base.BaseStatement.executeInternal(Unknown Source) > > at macromedia.jdbc.base.BaseStatement.execute(Unknown Source) > > at > coldfusion.server.j2ee.sql.JRunStatement.execute(JRunStatement.java:212) > > at coldfusion.sql.Executive.executeQuery(Executive.java:753) > > at coldfusion.sql.Executive.executeQuery(Executive.java:675) > > at coldfusion.sql.Executive.executeQuery(Executive.java:636) > > at coldfusion.sql.SqlImpl.execute(SqlImpl.java:236) > > at coldfusion.tagext.sql.QueryTag.doEndTag(QueryTag.java:500) > > at > xxxx.runPage(D:\JRun4\servers\Cfusion_Medium\cfusion-ear\cfusion-war\CFdata\xxxx.cfm:11) > > at coldfusion.runtime.CfJspPage.invoke(CfJspPage.java:152) > > at coldfusion.tagext.lang.IncludeTag.doStartTag(IncludeTag.java:349) > > at coldfusion.filter.CfincludeFilter.invoke(CfincludeFilter.java:65) > > at > coldfusion.filter.ApplicationFilter.invoke(ApplicationFilter.java:225) > > at > coldfusion.filter.RequestMonitorFilter.invoke(RequestMonitorFilter.java:51) > > at coldfusion.filter.PathFilter.invoke(PathFilter.java:86) > > at coldfusion.filter.ExceptionFilter.invoke(ExceptionFilter.java:69) > > at > coldfusion.filter.BrowserDebugFilter.invoke(BrowserDebugFilter.java:52) > > at > coldfusion.filter.ClientScopePersistenceFilter.invoke(ClientScopePersistenceFilter.java:28) > > at coldfusion.filter.BrowserFilter.invoke(BrowserFilter.java:38) > > at coldfusion.filter.GlobalsFilter.invoke(GlobalsFilter.java:38) > > at coldfusion.filter.DatasourceFilter.invoke(DatasourceFilter.java:22) > > at > coldfusion.filter.RequestThrottleFilter.invoke(RequestThrottleFilter.java:115) > > at coldfusion.CfmServlet.service(CfmServlet.java:107) > > at > coldfusion.bootstrap.BootstrapServlet.service(BootstrapServlet.java:78) > > at jrun.servlet.ServletInvoker.invoke(ServletInvoker.java:91) > > at jrun.servlet.JRunInvokerChain.invokeNext(JRunInvokerChain.java:42) > > at > jrun.servlet.JRunRequestDispatcher.invoke(JRunRequestDispatcher.java:257) > > at > jrun.servlet.ServletEngineService.dispatch(ServletEngineService.java:541) > > at > jrun.servlet.jrpp.JRunProxyService.invokeRunnable(JRunProxyService.java:204) > > at > jrunx.scheduler.ThreadPool$ThreadThrottle.invokeRunnable(ThreadPool.java:426) > > at jrunx.scheduler.WorkerThread.run(WorkerThread.java:66) > > > > Many files in ColdFusion are password protected, but sometimes you can get > lucky and locate files you are not supposed to see: > > /CFIDE/componentutils/cfcexplorer.cfc?method=getcfcinhtml&name=cfcname&path=/path/to/cfc/cfcname.cfc > > /cfcname.cfc?wsdl > > /config.xml > > > > *Aditional ColdFusion information.* > > Directory structure. > > \CF_ROOT\ or /CF_ROOT/ > > > > wwwroot > > > > This is the default web root directory for the built-in web server. > > When running on other web servers, this directory contains only the WEB-INF > directory. > > This also can be useful to fingerprint if ColdFusion is it's default server > instead of IIS or Apache. > > > > bin > > cache > > cfx > > charting > > CustomTags > > db > > gateway > > jintegra > > jnbridge > > lib > > logs > > Mail > > META-INF > > registry > > runtime > > runtime/jre > > uninstall > > verity > > > > Client variables. > > > > Client.CFID > > Client.CFToken > > Client.HitCount > > Client.LastVisit > > Client.TimeCreated > > Client.URLToken > > > > Server variables. > > > > Server.ColdFusion.ProductName > > Server.ColdFusion.ProductVersion > > Server.ColdFusion.ProductLevel > > Server.ColdFusion.SerialNumber > > Server.ColdFusion.SupportedLocales > > Server.ColdFusion.AppServer > > Server.ColdFusion.Expiration > > Server.ColdFusion.RootDir > > Server.OS.Name > > Server.OS.AdditionalInformation > > Server.OS.Version > > Server.OS.BuildNumber > > > > Loops. > > > > <cfloop index = "LoopCount" from = "1" to = "5"> > > The loop index is <cfoutput>#LoopCount#</cfoutput>.<br> > > </cfloop> > > > > <cfloop file="c:\temp\file.txt" index="line"> > > <cfoutput>#line#</cfoutput><br> > > </cfloop> > > > > Arrays. > > > > <cfset x = ["mars","earth", "venus", "jupiter"]> > > <cfloop array=#x# index="name"> > > <cfoutput>#name#</cfoutput> > > </cfloop> > > > *Conclusion.* > > ColdFusion is a very interesting platform for attackers. Since ColdFusion > can run on many platforms, it's easy to imagine it weaknesses that come with > a platform it runs on. IIS can be very dangerous in the case of SQL > injection because of the so-called query stacking, where it is also possible > to launch CMD shells, or create other havoc. Again, the problems of SQL > injection are not solved by programmers which is still the fundamental > problem. > > [1] http://www.adobe.com/products/coldfusion/ > [2] http://www.google.com/search?q=filetype:cfm > [3] http://www.google.com/search?q=inurl:cfm? > > > > *[Ph4nt0m] <http://www.ph4nt0m.org/> * > > *[Ph4nt0m Security Team]* > > * [EMAIL PROTECTED] <http://blog.ph4nt0m.org/>* > > * Email: [EMAIL PROTECTED] > > * PingMe: > <http://cn.pingme.messenger.yahoo.com/webchat/ajax_webchat.php?yid=hanqin_wuhq&sig=9ae1bbb1ae99009d8859e88e899ab2d1c2a17724> > * > > * **=== V3ry G00d, V3ry Str0ng ===*** > > * === Ultim4te H4cking ===* > > * === XPLOITZ ! ===* > > * === #_# ===* > > *#If you brave,there is nothing you cannot achieve.#* > > > > > > > > -- BLOG: http://www.blogjava.net/baicker --~--~---------~--~----~------------~-------~--~----~ 要向邮件组发送邮件,请发到 [email protected] 要退订此邮件,请发邮件至 [EMAIL PROTECTED] -~----------~----~----~----~------~----~------~--~---
