Reverse Fusion

Reverse Fusion

The title may sound more fancy than you are led to believe. This is not an aim to create a new kind of energy source, but instead is a quick post relative to a new tool I had created for a recent penetration test.

I was performing a penetration test recently and had found a Local File Inclusion on a ColdFusion application, funnily enough the site had a file upload section too…..score!

I went to delve the realms of Github to find a reverse shell for ColdFusion and struggled to find anything of use other than a lot of webshells. In comes Reverse Fusion.

Found here:
Impenetrable GitHub Page – Reverse Fusion

I created a quick Python3 script that does the following:

  • Takes your IP and Port (for the reverse shell)
  • Takes a filename to write out to
  • Pops these details into a standard powershell reverse shell one liner
  • Base64 encodes the payload
  • Prepends the decode method arguments for use in powershell
  • Adds the payload into CFML markup utilising “cfexecute” to run “C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe”

As you can see, its fairly straightforward script to use already known attack vectors into a single use tool for reverse shells.

The main success I had with the CFML payload was bypassing file upload restrictions. Every time I tried a JSP shell it was picked up by either the file upload restrictions or anti-virus on the system, yet it did not seem to care about having a new CFML page uploaded.

There was also the added benefit that, when exploiting “cfinclude” statements it did not break the application when including a CFM file!!

Here is a quick video to show it in action on a basic test site I had setup.