21.-Coldfusion-discovery-and-enumeration

1. ColdFusion Overview

Definition: A Java-based web application development platform using ColdFusion Markup Language (CFML).
Common Uses: Dynamic web applications, database integration, and web content management.
Supported Languages: CFML, JavaScript, Java.
Common File Extensions: .cfm, .cfc.
Common Ports: 80, 443, 1935, 25, 8500, 5500.

2. Enumeration Techniques

Port Scanning

ColdFusion often uses port 8500.
Command:
```
nmap -p- -sC -Pn <target_ip> --open
```
- -p-: Scans all ports.
- -sC: Runs default scripts.
- -Pn: Skips host discovery.
- --open: Shows only open ports.

File Extensions

Look for .cfm and .cfc extensions.

HTTP Headers

Check response headers for Server: ColdFusion or X-Powered-By: ColdFusion.
Command:
```
curl -I http://<target_ip>
```

Error Messages

ColdFusion error messages may contain ColdFusion-specific tags or functions.

Default Files

Look for default ColdFusion files like:
- admin.cfm
- CFIDE/administrator/index.cfm
Navigating to /CFIDE/administrator is a strong indicator of a ColdFusion installation.

3. Enumeration Commands and Explanation

Nmap Port and Service Scan

nmap -p- -sC -Pn <target_ip> --open

Scans all TCP ports, detects service versions, and runs default scripts.

Manual Directory Browsing

Open a web browser and visit:
- http://<target_ip>:8500
- https://<target_ip>:8500
- http://<target_ip>:8500/CFIDE/administrator
These URLs may reveal directories like CFIDE and cfdocs.

cURL Header Check

curl -I http://<target_ip>

Retrieves HTTP headers to identify the ColdFusion server.

Gobuster Directory Bruteforcing

gobuster dir -u http://<target_ip> -w <wordlist>

Brute-forces directories and files.

Dirb Directory Bruteforcing

dirb http://<target_ip> <wordlist>

Alternative directory bruteforcer.

FFuf Directory Bruteforcing

ffuf -w <wordlist> -u http://<target_ip>/FUZZ

Another directory bruteforcer.

Web Browser Developer Tools

Use the Network tab in browser developer tools to inspect HTTP headers and responses.

4. Key Points

ColdFusion's default port is 8500, and specific directories (e.g., CFIDE) can indicate its presence.
File extensions and HTTP headers can reveal ColdFusion-specific details.
Error messages may provide further clues about the application.
Default files like admin.cfm can expose sensitive information.
ColdFusion applications can be slow to respond, so be patient when testing.

5. Important Notes

Ensure you have explicit permission before testing.
Use VPNs or proxy tools for anonymity.
Modify file paths and usernames as per your environment.
Administrative privileges may be required for some tests.
Regularly update your wordlists for directory bruteforcing.

Previous7. Miscellaneous Applications NextColdFusion Exploitation Guide

Last updated 12 days ago

21.-Coldfusion-discovery-and-enumeration

1. ColdFusion Overview

Definition: A Java-based web application development platform using ColdFusion Markup Language (CFML).
Common Uses: Dynamic web applications, database integration, and web content management.
Supported Languages: CFML, JavaScript, Java.
Common File Extensions: .cfm, .cfc.
Common Ports: 80, 443, 1935, 25, 8500, 5500.

2. Enumeration Techniques

Port Scanning

ColdFusion often uses port 8500.
Command:
```
nmap -p- -sC -Pn <target_ip> --open
```
- -p-: Scans all ports.
- -sC: Runs default scripts.
- -Pn: Skips host discovery.
- --open: Shows only open ports.

File Extensions

Look for .cfm and .cfc extensions.

HTTP Headers

Check response headers for Server: ColdFusion or X-Powered-By: ColdFusion.
Command:
```
curl -I http://<target_ip>
```

Error Messages

ColdFusion error messages may contain ColdFusion-specific tags or functions.

Default Files

Look for default ColdFusion files like:
- admin.cfm
- CFIDE/administrator/index.cfm
Navigating to /CFIDE/administrator is a strong indicator of a ColdFusion installation.

3. Enumeration Commands and Explanation

Nmap Port and Service Scan

nmap -p- -sC -Pn <target_ip> --open

Scans all TCP ports, detects service versions, and runs default scripts.

Manual Directory Browsing

Open a web browser and visit:
- http://<target_ip>:8500
- https://<target_ip>:8500
- http://<target_ip>:8500/CFIDE/administrator
These URLs may reveal directories like CFIDE and cfdocs.

cURL Header Check

curl -I http://<target_ip>

Retrieves HTTP headers to identify the ColdFusion server.

Gobuster Directory Bruteforcing

gobuster dir -u http://<target_ip> -w <wordlist>

Brute-forces directories and files.

Dirb Directory Bruteforcing

dirb http://<target_ip> <wordlist>

Alternative directory bruteforcer.

FFuf Directory Bruteforcing

ffuf -w <wordlist> -u http://<target_ip>/FUZZ

Another directory bruteforcer.

Web Browser Developer Tools

Use the Network tab in browser developer tools to inspect HTTP headers and responses.

4. Key Points

ColdFusion's default port is 8500, and specific directories (e.g., CFIDE) can indicate its presence.
File extensions and HTTP headers can reveal ColdFusion-specific details.
Error messages may provide further clues about the application.
Default files like admin.cfm can expose sensitive information.
ColdFusion applications can be slow to respond, so be patient when testing.

5. Important Notes

Ensure you have explicit permission before testing.
Use VPNs or proxy tools for anonymity.
Modify file paths and usernames as per your environment.
Administrative privileges may be required for some tests.
Regularly update your wordlists for directory bruteforcing.

Previous7. Miscellaneous Applications NextColdFusion Exploitation Guide

Last updated 12 days ago