So this attack has been published for a while now and I just never posted but I still have found it fruitful during pen tests. For that reason I wanted to collect all the information I have read and learned while performing this attack into one location for my reference.

The basic concept of this attack is a directory traversal to the which can than be used to login into the server. Once you have admin to Coldfusion you can deploy a cfm web shell through a scheduled task in Coldfusion. Game over of running as administrator. Adobe has released a patch for this attack but I have seen this work on versions 7, 8 and 9 that have not been patched.

Step 1: Directory Traversal

This is the step you will see if its vulnerable or not. Below I listed different strings to traverse. All depends on the version to which one will work. Below are ones I have found to work the best for me. Let me know if you know of any others.

Single server configuration ColdFusion


ColdFusion 7


ColdFusion 8


ColdFusion 6,7 AND 8


Step 2: Javascript:hex_hmac_sha1

Once you have the hash from the you can either drop those in rainbow tables or my following preferred method. Once you copied the hash go back to the login screen and paste the hash into the password field and copy the following javascript and execute.


This will return another value. The value returned will be used to pass to the login form. This all has to be down pretty fast. Seems to be 30 seconds or less before this value times out. Sometimes cookies will have to be cleared and you will have to rerun the javascript.

So with this value you just have to intercept the login with a proxy and replace the password parameter with this value. If all goes will you should be rewqreded with a nice admin screen. Now do would you like, I like web shells.


2 Thoughts on “Cold Fusion Directory Traversal

  1. Jack on July 18, 2011 at 3:30 pm said:

    Hey Devin! 😀

  2. Hi,
    I have designed a python open source code that allows you to automate the process of retrieving hashes. It also has support for lists, meaning servers can be tested in the masses. (Great for a CFM dev who owns many servers etc).

    Feel free to check it out at :

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation