1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
|
##
# This file is part of WhatWeb and may be subject to
# redistribution and commercial restrictions. Please see the WhatWeb
# web site for more information on licensing and terms of use.
# http://www.morningstarsecurity.com/research/whatweb
##
# Version 0.3 # 2012-02-05 #
# Added header match. Updated matches. Updated version detection.
##
# Version 0.2 # 2011-04-25 #
# Added cookie matches
##
Plugin.define "ColdFusion" do
author "Brendan Coles <bcoles@gmail.com>" # 2010-08-15
version "0.3"
description "Adobe ColdFusion application server and software enables developers to rapidly build, deploy, and maintain robust Internet applications for the enterprise."
website "http://www.adobe.com/products/coldfusion/"
# ShodanHQ results as at 2012-02-05 #
# 6,536 for page-completion-status
# 529 for page-completion-status Abnormal
# Google results as at 2011-04-25 #
# 30 for intitle:"ColdFusion Administrator Login"
# 72 for intitle:"Login / Admin Area" ext:cfm
# Dorks #
dorks [
'intitle:"ColdFusion Administrator Login"'
]
# Matches #
matches [
# Admin Page # Title
{ :text=>' <title>ColdFusion Administrator Login</title>' },
# Admin Page # Meta Author
{ :regexp=>/<meta name="Author" content="Copyright (\(c\)\ )?[0-9]{4}-[0-9]{4} Macromedia( Corp|, Inc)\. All rights reserved\.">/ },
# Admin Page # JavaScript
{ :text=>" { document.write(\"<link rel='STYLESHEET' type='text/css' href='./cfadmin_ns.css'>\");}" },
# Admin Page # Form
{ :text=>'<form name="loginform" action="./enter.cfm" method="POST" onSubmit="cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));" >' },
# Admin Page # input name="cfadminPassword"
{ :text=>'<input name="cfadminPassword" type="Password" size="15" style="width:15em;" class="label" maxlength="100" id="admin_login">' },
# Admin Page # Copyright text
{ :text=>' Macromedia, the Macromedia logo, Macromedia ColdFusion and ColdFusion are<br />' },
# Admin Page # Logo HTML
{ :text=>' <tr><td><img src="./images/mx_copyrframe.gif" width="2" height="57" border="0" alt="ColdFusion MX" hspace="10"></td>' },
# /CFIDE/administrator/images/loginbackground.jpg # Version 9.x
{ :url=>'/CFIDE/administrator/images/loginbackground.jpg', :md5=>"596b3fc4f1a0b818979db1cf94a82220", :version=>"9.x" },
# /CFIDE/administrator/images/AdminColdFusionLogo.gif # Version 7.x
{ :url=>"/CFIDE/administrator/images/AdminColdFusionLogo.gif", :md5=>"620b2523e4680bf031ee4b1538733349", :version=>"7.x" },
# page-completion-status Header
{ :search=>"headers[page-completion-status]", :certainty=>75, :regexp=>/(Abnormal|Normal)/ },
# Set-Cookie # /CFAUTHORIZATION_cfadmin=/
{ :search=>"headers[set-cookie]", :regexp=>/CFAUTHORIZATION_cfadmin=/ },
]
# Passive #
def passive
m=[]
# CFID and CFTOKEN cookie
if @headers["set-cookie"]=~ /CFID=/ and @headers["set-cookie"]=~ /CFTOKEN=/
m << { :name=>"CFID and CFTOKEN cookie" }
end
# Version detection using admin panel text
if @body =~ /Enter your RDS or Admin password below/
if @body =~ /Version:[\s]*([^<]+)<\/strong><br \/>/
m << { :version=>"#{$1}".gsub(/,/, ".") }
end
end
# Return passive matches
m
end
end
|
