Penetration Testing mailing list archives
Re: brute force ColdFusion MX7 admin page
From: Anonymous <anon_email4me () yahoo com>
Date: Tue, 15 Jan 2008 14:14:15 -0800 (PST)
I thought I'd send out a follow-up on my inquiry. It seems that there aren't enough of these. See the details below the summary. 1) If your scan reveals /cfide/administrator/index.cfm as being available look for the availability of /cfide/componentutils/login.cfm 2) Brute force it using whatever tool you'd like. When you get guess the correct password the server will respond with the HTTP status of 302 (content moved). 3) Try guessed password at /cfide/administrator/index.cfm That's it. I found one document that really seemed to help me get beyond the salting issue. Other comments to me and the list also helped. http://www.eusecwest.com/esw06/esw06-davis.pdf This document lists another ColdFusion page (/cfide/componentutils/login.cfm). This other page doesn't have a salting function. Although it apparently doesn't actually allow for logging into the admin console it will tell you if you have guessed the correct password by returning the HTTP status code of 302. I used WebScarab's fuzzing tool and a regular expression to attempt to brute force the password. WebScarab kept stopping for some reason and never even came close to completing. I also tried Hydra's HTTP post function with a dictionary file but it returned some false positives and no successes. In the end I did not have enough time to guess the admin password. It looks like this is a pretty serious issue as the research I did shows that these login attempts are not logged (without a CF server I can't confirm). The PDF referenced above shows how you can use the admin console to execute a slow but accurate port scan of the host environment plus a lot of other fun stuff. For some reason Nessus doesn't check for /cfide/componentutils/login.cfm but does check for /cfide/administrator/index.cfm. Keep this in mind if you run across the same situation in any of your engagements. Shoot any questions my way if you'd like. And thanks again for everyone's input. -Leo --- Anonymous <anon_email4me () yahoo com> wrote:
I would send this from my work account but every time I respond to a question I get a bunch of spam. So... on to the real situation. A customer's ColdFusion MX7 admin page is reachable from the Internet. As part of the external pen test I'd like to attempt to brute force this page. It would seem to be easier than normal because there is only a password - no username is needed. However, there is a small problem that I'm not sure how to tackle quickly. I don't have much time left. The form action is this: <form name="loginform" action="/cfide/administrator/enter.cfm" method="POST" onSubmit="cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));" > There is a hidden field in the form with the salt value: <input name="salt" type="hidden" value="1198120613281"> I imagine the salt is predictable but I also imagine that it wouldn't help much to predict it. Maybe I'm wrong. The page has a meta refresh of 50. The password field is: <input name="cfadminPassword" type="Password" size="15" maxlength="100" id="admin_login"> Because of the encoding of the entered password with the salt it doesn't look like I can use Hydra. Am I stuck writing my own script using wget (or something) and a function to hash the password and salt. If so, does anyone know about these functions: hex_hmac_sha1 and hex_sha1? Hopefully this is the type of thing that will bring the old PT List back.... maybe... Thanks for any input!
____________________________________________________________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ
____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- Re: brute force ColdFusion MX7 admin page Anonymous (Jan 15)
- <Possible follow-ups>
- Re: brute force ColdFusion MX7 admin page me (Jan 29)