Exploiting ColdFusion(8)

1.   Exploiting ColdFusion(8) Servers LFD And [Shell Upload]
2.  
3.  
4.   access the administrative page
5.  
6.   login page like this :
7.  
8.        CFIDE/administrator/index.cfm
9.        
10.        
11.  
12.   1- Exploit Via Script Python {cfide-autopwn}
13.      
14.   the password hash (SHA1).
15.  
16.   Cracking the password hash .
17.  
18.   Get Account {RDS}
19.  
20.   Connect To {RDS} Via Adobe Dreamweaver .
21.  
22.   Type Of Shell (cfm)
23.  
24.   Upload Your Shell.
25.  
26. ==========================================================
27.   Ther Another way if the Hash Not Cracked !
28.  
29.   Exploit Bypassing ColdFusion authentication
30.  
31.   the password hash (SHA1).
32.  
33.   you can try to decrypt it, But Nothing ..
34.  
35.   we can use a browser plugin like Tamper data to modify the field value to the hashed one.
36.  
37.   the hash salt changes every 30 seconds (the webpage reloads with a different salt)we must act fast.
38.  
39.   First paste the hashed password into the password field and then run this simple Javascript:
40.  
41.   javascript:alert(hex_hmac_sha1(document.loginform.salt.value, document.loginform.cfadminPassword.value))
42.  
43.   Now, copy the hash and DON’T RELOAD THE WEBPAGE. Just start Tamper Data and change the cfadminPassword with the one you got with the javascript:
44.  
45.   Fine, we’re in :)
46.  
47.   Done :)
48.  
49.   Thanks For Watching VirusX-Dz
50.  
51.   Salam !
52.  
53.   Algerian H(a)ttacker ;)