RE: brute force ColdFusion MX7 admin page

From: Marc Ouwerkerk (info@hacktoolrepository.com)
Date: Fri Dec 21 2007 - 04:28:00 EST


I found this link: http://pajhome.org.uk/crypt/md5/sha1src.html
which has the same function (name) as you describe, but my guess would be
that the function is declared in a seperate javascript file which is
included in the page. Look for something like this:
<script type="text/javascript"
  src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
</script>

hope this helps

Met vriendelijke groeten,
 
Marc Ouwerkerk
marc@olderchurch.net
http://www.olderchurch.net
http://www.hacktoolrepository.com

-----Oorspronkelijk bericht-----
Van: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
Namens Anonymous
Verzonden: donderdag 20 december 2007 4:44
Aan: pen-test@securityfocus.com
Onderwerp: brute force ColdFusion MX7 admin page

I would send this from my work account but every time I respond to a
question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable from the Internet. As
part of the external pen test I'd like to attempt to brute force this page.
It would seem to be easier than normal because there is only a password - no
username is needed.

However, there is a small problem that I'm not sure how to tackle quickly. I
don't have much time left.

The form action is this:

<form name="loginform"
action="/cfide/administrator/enter.cfm" method="POST"
onSubmit="cfadminPassword.value =
hex_hmac_sha1(salt.value,
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt
value:

<input name="salt" type="hidden"
value="1198120613281">

I imagine the salt is predictable but I also imagine that it wouldn't help
much to predict it. Maybe I'm wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with the salt it doesn't
look like I can use Hydra. Am I stuck writing my own script using wget (or
something) and a function to hash the password and salt. If so, does anyone
know about these functions: hex_hmac_sha1 and hex_sha1?

Hopefully this is the type of thing that will bring the old PT List back....
maybe...

Thanks for any input!

 
____________________________________________________________________________
________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now.
http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT