Adobe Fusion
ColdFusion Markup Language (CFML) is the proprietary programming language used in ColdFusion to develop dynamic web applications. It has a syntax similar to HTML, making it easy to learn for web developers. CFML includes tags and functions for database integration, web services, email management, and other common web development tasks. Its tag-based approach simplifies application development by reducing the amount of code needed to accomplish complex tasks. For instance, the cfquery tag can execute SQL statements to retrieve data from a database:
Code: html
<cfquery name="myQuery" datasource="myDataSource">
SELECT *
FROM myTable
</cfquery>Developers can then use the cfloop tag to iterate through the records retrieved from the database:
<cfloop query="myQuery">
<p>#myQuery.firstName# #myQuery.lastName#</p>
</cfloop>ColdFusion exposes a fair few ports by default:
80
HTTP
Used for non-secure HTTP communication between the web server and web browser.
443
HTTPS
Used for secure HTTP communication between the web server and web browser. Encrypts the communication between the web server and web browser.
1935
RPC
Used for client-server communication. Remote Procedure Call (RPC) protocol allows a program to request information from another program on a different network device.
25
SMTP
Simple Mail Transfer Protocol (SMTP) is used for sending email messages.
8500
SSL
Used for server communication via Secure Socket Layer (SSL).
5500
Server Monitor
Used for remote administration of the ColdFusion server.
Enumeration
During a penetration testing enumeration, several ways exist to identify whether a web application uses ColdFusion. Here are some methods that can be used:
Method
Description
Port Scanning
ColdFusion typically uses port 80 for HTTP and port 443 for HTTPS by default. So, scanning for these ports may indicate the presence of a ColdFusion server. Nmap might be able to identify ColdFusion during a services scan specifically.
File Extensions
ColdFusion pages typically use ".cfm" or ".cfc" file extensions. If you find pages with these file extensions, it could be an indicator that the application is using ColdFusion.
HTTP Headers
Check the HTTP response headers of the web application. ColdFusion typically sets specific headers, such as "Server: ColdFusion" or "X-Powered-By: ColdFusion", that can help identify the technology being used.
Error Messages
If the application uses ColdFusion and there are errors, the error messages may contain references to ColdFusion-specific tags or functions.
Default Files
ColdFusion creates several default files during installation, such as "admin.cfm" or "CFIDE/administrator/index.cfm". Finding these files on the web server may indicate that the web application runs on ColdFusion.
Attacking Adobe Fusion
Look for known CVE's
Directory Traversal
Take the following ColdFusion code snippet:
The directory parameter is not validated correctly, which makes the application vulnerable to a Path Traversal attack. An attacker can exploit this vulnerability by manipulating the directory parameter to access files outside the uploads directory.
CVE-2010-2861 - Adobe ColdFusion 9.0.1 and earlier
RCE - ColdFusion versions 8.0.1 and earlier
Code: html
Code: http
Code: bash
Last updated