Script http-coldfusion-subzero

Script types: portrule
Categories: exploit
Download: https://svn.nmap.org/nmap/scripts/http-coldfusion-subzero.nse

Script Summary

Attempts to retrieve version, absolute path of administration panel and the file 'password.properties' from vulnerable installations of ColdFusion 9 and 10.

This was based on the exploit 'ColdSub-Zero.pyFusion v2'.

See also:

• http-adobe-coldfusion-apsa1301.nse
• http-vuln-cve2009-3960.nse
• http-vuln-cve2010-2861.nse

Script Arguments

http-coldfusion-subzero.basepath

Base path. Default: /.

slaxml.debug

See the documentation for the slaxml library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

Example Usage

• nmap -sV --script http-coldfusion-subzero <target>

• nmap -p80 --script http-coldfusion-subzero --script-args basepath=/cf/ <target>
  

Script Output

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack
| http-coldfusion-subzero:
|   absolute_path: C:\inetpub\wwwroot\CFIDE\adminapi\customtags
|   version: 9
|   password_properties: #Fri Mar 02 17:03:01 CST 2012
| rdspassword=
| password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0
|_encrypted=true

Requires

• http
• shortport
• stdnse
• string
• url
• openssl

---

Author:

• Paulino Calderon <calderon@websec.mx>

License: Same as Nmap--See https://nmap.org/book/man-legal.html