21.-Coldfusion-discovery-and-enumeration

1. ColdFusion Overview

  • Definition: A Java-based web application development platform using ColdFusion Markup Language (CFML).

  • Common Uses: Dynamic web applications, database integration, and web content management.

  • Supported Languages: CFML, JavaScript, Java.

  • Common File Extensions: .cfm, .cfc.

  • Common Ports: 80, 443, 1935, 25, 8500, 5500.

2. Enumeration Techniques

Port Scanning

  • ColdFusion often uses port 8500.

  • Command:

    nmap -p- -sC -Pn <target_ip> --open

    • -p-: Scans all ports.

    • -sC: Runs default scripts.

    • -Pn: Skips host discovery.

    • --open: Shows only open ports.

File Extensions

  • Look for .cfm and .cfc extensions.

HTTP Headers

  • Check response headers for Server: ColdFusion or X-Powered-By: ColdFusion.

  • Command:

    curl -I http://<target_ip>

Error Messages

  • ColdFusion error messages may contain ColdFusion-specific tags or functions.

Default Files

  • Look for default ColdFusion files like:

    • admin.cfm

    • CFIDE/administrator/index.cfm

  • Navigating to /CFIDE/administrator is a strong indicator of a ColdFusion installation.

3. Enumeration Commands and Explanation

Nmap Port and Service Scan

nmap -p- -sC -Pn <target_ip> --open

  • Scans all TCP ports, detects service versions, and runs default scripts.

Manual Directory Browsing

  • Open a web browser and visit:

    • http://<target_ip>:8500

    • https://<target_ip>:8500

    • http://<target_ip>:8500/CFIDE/administrator

  • These URLs may reveal directories like CFIDE and cfdocs.

cURL Header Check

curl -I http://<target_ip>

  • Retrieves HTTP headers to identify the ColdFusion server.

Gobuster Directory Bruteforcing

gobuster dir -u http://<target_ip> -w <wordlist>

  • Brute-forces directories and files.

Dirb Directory Bruteforcing

dirb http://<target_ip> <wordlist>

  • Alternative directory bruteforcer.

FFuf Directory Bruteforcing

ffuf -w <wordlist> -u http://<target_ip>/FUZZ

  • Another directory bruteforcer.

Web Browser Developer Tools

  • Use the Network tab in browser developer tools to inspect HTTP headers and responses.

4. Key Points

  • ColdFusion's default port is 8500, and specific directories (e.g., CFIDE) can indicate its presence.

  • File extensions and HTTP headers can reveal ColdFusion-specific details.

  • Error messages may provide further clues about the application.

  • Default files like admin.cfm can expose sensitive information.

  • ColdFusion applications can be slow to respond, so be patient when testing.

5. Important Notes

  • Ensure you have explicit permission before testing.

  • Use VPNs or proxy tools for anonymity.

  • Modify file paths and usernames as per your environment.

  • Administrative privileges may be required for some tests.

  • Regularly update your wordlists for directory bruteforcing.

Previous7. Miscellaneous ApplicationsNextColdFusion Exploitation Guide

Last updated