Home page logo

pen-test logo Penetration Testing mailing list archives

Re: brute force ColdFusion MX7 admin page
From: Anonymous <anon_email4me () yahoo com>
Date: Tue, 15 Jan 2008 14:14:15 -0800 (PST)

I thought I'd send out a follow-up on my inquiry. It
seems that there aren't enough of these. See the
details below the summary.

1) If your scan reveals /cfide/administrator/index.cfm
as being available look for the availability of
2) Brute force it using whatever tool you'd like. When
you get guess the correct password the server will
respond with the HTTP status of 302 (content moved).
3) Try guessed password at

That's it.

I found one document that really seemed to help me get
beyond the salting issue. Other comments to me and the
list also helped.


This document lists another ColdFusion page
(/cfide/componentutils/login.cfm). This other page
doesn't have a salting function. Although it
apparently doesn't actually allow for logging into the
admin console it will tell you if you have guessed the
correct password by returning the HTTP status code of

I used WebScarab's fuzzing tool and a regular
expression to attempt to brute force the password.
WebScarab kept stopping for some reason and never even
came close to completing. I also tried Hydra's HTTP
post function with a dictionary file but it returned
some false positives and no successes. In the end I
did not have enough time to guess the admin password.

It looks like this is a pretty serious issue as the
research I did shows that these login attempts are not
logged (without a CF server I can't confirm). The PDF
referenced above shows how you can use the admin
console to execute a slow but accurate port scan of
the host environment plus a lot of other fun stuff.

For some reason Nessus doesn't check for
/cfide/componentutils/login.cfm but does check for
/cfide/administrator/index.cfm. Keep this in mind if
you run across the same situation in any of your

Shoot any questions my way if you'd like. And thanks
again for everyone's input.

--- Anonymous <anon_email4me () yahoo com> wrote:

I would send this from my work account but every
I respond to a question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable
from the Internet. As part of the external pen test
I'd like to attempt to brute force this page. It
seem to be easier than normal because there is only
password - no username is needed.

However, there is a small problem that I'm not sure
how to tackle quickly. I don't have much time left.

The form action is this:

<form name="loginform"
onSubmit="cfadminPassword.value =
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt

<input name="salt" type="hidden"

I imagine the salt is predictable but I also imagine
that it wouldn't help much to predict it. Maybe I'm
wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with
the salt it doesn't look like I can use Hydra. Am I
stuck writing my own script using wget (or
and a function to hash the password and salt. If so,
does anyone know about these functions:
and hex_sha1?

Hopefully this is the type of thing that will bring
the old PT List back.... maybe...

Thanks for any input!


Be a better friend, newshound, and 
know-it-all with Yahoo! Mobile.  Try it now. 


Never miss a thing.  Make Yahoo your home page. 

This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]