ColdFusion
Adobe ColdFusion is a proprietary web application development platform based on Java using the proprietary ColdFusion Markup Language (CFML) for its webpages.
It easily integrates with various database management systems such as MySQL, Oracle, and Microsoft SQL Server.
It was designed to enable quick and efficient development of web applications (RAD=Rapid Application Development).
Ports π²:
- 80/443 (HTTP/HTTPS) on IIS
- 8500/8501 (HTTP/HTTPS) on Apache?
- 1935 (TCP/RPC?)
- 5500 (TCP/RPC?)
Extensions are .cfm and .cfc. Example: index.cfm.
ColdFusion Pentester Notes β οΈ
Enumeration
- You can identify ColdFusion from the headers, the error messages, the extensions, or if
CFIDE/administrator/index.cfmexists.
π» To-do π»
Stuff that I found, but never read/used yet.
From HTB Module: Attacking Common Applications, a sample code:
<cfquery name="myQuery" datasource="myDataSource">
SELECT *
FROM myTable
</cfquery>
<cfloop query="myQuery">
<p>#myQuery.attr1# #myQuery.attr2#</p>
</cfloop>
-
<cf_root>/lib/password.propertieswith passwords