Penetration Testing mailing list archives
RE: brute force ColdFusion MX7 admin page
From: "Marc Ouwerkerk" <info () hacktoolrepository com>
Date: Fri, 21 Dec 2007 10:28:00 +0100
I found this link: http://pajhome.org.uk/crypt/md5/sha1src.html which has the same function (name) as you describe, but my guess would be that the function is declared in a seperate javascript file which is included in the page. Look for something like this: <script type="text/javascript" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script> hope this helps Met vriendelijke groeten, Marc Ouwerkerk marc () olderchurch net http://www.olderchurch.net http://www.hacktoolrepository.com -----Oorspronkelijk bericht----- Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Namens Anonymous Verzonden: donderdag 20 december 2007 4:44 Aan: pen-test () securityfocus com Onderwerp: brute force ColdFusion MX7 admin page I would send this from my work account but every time I respond to a question I get a bunch of spam. So... on to the real situation. A customer's ColdFusion MX7 admin page is reachable from the Internet. As part of the external pen test I'd like to attempt to brute force this page. It would seem to be easier than normal because there is only a password - no username is needed. However, there is a small problem that I'm not sure how to tackle quickly. I don't have much time left. The form action is this: <form name="loginform" action="/cfide/administrator/enter.cfm" method="POST" onSubmit="cfadminPassword.value = hex_hmac_sha1(salt.value, hex_sha1(cfadminPassword.value));" > There is a hidden field in the form with the salt value: <input name="salt" type="hidden" value="1198120613281"> I imagine the salt is predictable but I also imagine that it wouldn't help much to predict it. Maybe I'm wrong. The page has a meta refresh of 50. The password field is: <input name="cfadminPassword" type="Password" size="15" maxlength="100" id="admin_login"> Because of the encoding of the entered password with the salt it doesn't look like I can use Hydra. Am I stuck writing my own script using wget (or something) and a function to hash the password and salt. If so, does anyone know about these functions: hex_hmac_sha1 and hex_sha1? Hopefully this is the type of thing that will bring the old PT List back.... maybe... Thanks for any input! ____________________________________________________________________________ ________ Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------
Current thread:
- brute force ColdFusion MX7 admin page Anonymous (Dec 19)
- Re: brute force ColdFusion MX7 admin page Joseph McCray (Dec 23)
- RE: brute force ColdFusion MX7 admin page Marc Ouwerkerk (Dec 23)
- <Possible follow-ups>
- Re: brute force ColdFusion MX7 admin page krymson (Dec 27)