ColdFusion (cmf) exploiting ?

[neusbeer]

ey,


got a site which runs on coldfusion.
acunetix gave me some basic vulns.
but this one is new for me..
anyone some info about coldfusion and the possibilities* ?


*for exploiting ofcourse ;-)


I have gathered:
a sql error: http://www.menninks.nl:80/index.cfm?itm_id=1e309
is injection possible?


weak password: http://www.menninks.nl:80/index.cfm?fuseaction=cms.auth
pwd=cisco&usr=Administrator

But gives me an error page (with neat info but what to do with it?)
and login doesn't work.


also Bonjour service is running. not sure what this is. and if this is exploitable.




ow last thing.. mysql 5.1.49-1ubuntu8.1 running
I read this week that there's a 0day exploit for this made by Canvas in their
private exploit packs (Which is expensive) is there a script/exploit for free somewhere?

[Kulverstukas]

Acunetix is probably the worst thing to use when looking for ways to get into the website - it leaves massive logs on the server.

[neusbeer]

Acunetix is probably the worst thing to use when looking for ways to get into the website - it leaves massive logs on the server.

yes I know.. most of the time you get an ip ban within minutes.
For that reason it's configured with Tor, so every request is send through port 8118.
I use acunetix only for one purpose and that's enumerating/spidering a site (or router).
I find it's the best one for the job. finds a lot.
It leaves a big big log file with numerous crappy requests.
but in this case, bad server with a crappy host. so it won't give me any problems.


(Retina eEye I use more often to discover problems, but it lacks the checks of sql/xss etc.. and I'm just starting to get around with Openvas. which is actualy pretty good, next to Nessus).
Nexpose I can't run (2 gig free mem needed.. grinn.)


a while ago I was banned from my own site. was checking. so had to wait for ISP to unban me. glad it's a friend. so didn't took long.

[ande]

Shame on you for using Acunetix. Tho ill answer your question. No there is no injection possible, but since the page are giving you about every single configuration and path and whatnot you might find something interesting.

This is an over/underflow problem. MySQL cant handle such big numbers. Try entering -99999(about another 100 9's here) and 99999(about another 100 9's here) and you get the same. Reason for the error with 1e309 is because thats considered 1 and 309 0's Often also written as (3.33333333333E+031).

[neusbeer]

that explains it. thnxs.


I'll be sitting in the naughty corner now for using acunetix ;-)
ahh well, for spidering it's a good program.


ow and got the password already, he uses same password for this
as his site-registration on a site which I got the database (which I posted earlier for find/replace script question)

[Kulverstukas]

For crawling try using DRKSpider. I didn't use it much, but it seemed very good and fast... it can probably do the same as what acunetix does.

[neusbeer]

For crawling try using DRKSpider. I didn't use it much, but it seemed very good and fast... it can probably do the same as what acunetix does.

downloading.. will check it later on..
but this only spider.. won't check for vulns.. ?

[Kulverstukas]

No, it only crawls the web... helped a lot when I had to get all the lietuvaite.com links

[neusbeer]

No, it only crawls the web... helped a lot when I had to get all the lietuvaite.com links

hmm.. I can see that it can be handy indeed..
last I had a dating site which had for every member a html page and a dir.
so my scripts went nuts..