The title may sound more fancy than you are led to believe. This is not an aim to create a new kind of energy source, but instead is a quick post relative to a new tool I had created for a recent penetration test.
I was performing a penetration test recently and had found a Local File Inclusion on a ColdFusion application, funnily enough the site had a file upload section too…..score!
I went to delve the realms of Github to find a reverse shell for ColdFusion and struggled to find anything of use other than a lot of webshells. In comes Reverse Fusion.
Found here:
Impenetrable GitHub Page – Reverse Fusion
I created a quick Python3 script that does the following:
- Takes your IP and Port (for the reverse shell)
- Takes a filename to write out to
- Pops these details into a standard powershell reverse shell one liner
- Base64 encodes the payload
- Prepends the decode method arguments for use in powershell
- Adds the payload into CFML markup utilising “cfexecute” to run “C:/Windows/System32/WindowsPowerShell/v1.0/powershell.exe”
As you can see, its fairly straightforward script to use already known attack vectors into a single use tool for reverse shells.
The main success I had with the CFML payload was bypassing file upload restrictions. Every time I tried a JSP shell it was picked up by either the file upload restrictions or anti-virus on the system, yet it did not seem to care about having a new CFML page uploaded.
There was also the added benefit that, when exploiting “cfinclude” statements it did not break the application when including a CFM file!!
Here is a quick video to show it in action on a basic test site I had setup.