brute force ColdFusion MX7 admin page

From: Anonymous (anon_email4me@yahoo.com)
Date: Wed Dec 19 2007 - 22:44:25 EST

• Next message: ganesh mahadevan: "Serial Port communication vulnerabilities"
• Previous message: DaKahuna: "Re: WPA-PSK audit"
• Next in thread: Joseph McCray: "Re: brute force ColdFusion MX7 admin page"
• Reply: Joseph McCray: "Re: brute force ColdFusion MX7 admin page"
• Reply: Marc Ouwerkerk: "RE: brute force ColdFusion MX7 admin page"
• Maybe reply: krymson@gmail.com: "Re: brute force ColdFusion MX7 admin page"
• Maybe reply: Anonymous: "Re: brute force ColdFusion MX7 admin page"
• Maybe reply: me: "Re: brute force ColdFusion MX7 admin page"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I would send this from my work account but every time
I respond to a question I get a bunch of spam. So...
on to the real situation.

A customer's ColdFusion MX7 admin page is reachable
from the Internet. As part of the external pen test
I'd like to attempt to brute force this page. It would
seem to be easier than normal because there is only a
password - no username is needed.

However, there is a small problem that I'm not sure
how to tackle quickly. I don't have much time left.

The form action is this:

<form name="loginform"
action="/cfide/administrator/enter.cfm" method="POST"
onSubmit="cfadminPassword.value =
hex_hmac_sha1(salt.value,
hex_sha1(cfadminPassword.value));" >

There is a hidden field in the form with the salt
value:

<input name="salt" type="hidden"
value="1198120613281">

I imagine the salt is predictable but I also imagine
that it wouldn't help much to predict it. Maybe I'm
wrong. The page has a meta refresh of 50.

The password field is:

<input name="cfadminPassword" type="Password"
size="15" maxlength="100" id="admin_login">

Because of the encoding of the entered password with
the salt it doesn't look like I can use Hydra. Am I
stuck writing my own script using wget (or something)
and a function to hash the password and salt. If so,
does anyone know about these functions: hex_hmac_sha1
and hex_sha1?

Hopefully this is the type of thing that will bring
the old PT List back.... maybe...

Thanks for any input!

      ____________________________________________________________________________________
Be a better friend, newshound, and
know-it-all with Yahoo! Mobile. Try it now. http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: ganesh mahadevan: "Serial Port communication vulnerabilities"
• Previous message: DaKahuna: "Re: WPA-PSK audit"
• Next in thread: Joseph McCray: "Re: brute force ColdFusion MX7 admin page"
• Reply: Joseph McCray: "Re: brute force ColdFusion MX7 admin page"
• Reply: Marc Ouwerkerk: "RE: brute force ColdFusion MX7 admin page"
• Maybe reply: krymson@gmail.com: "Re: brute force ColdFusion MX7 admin page"
• Maybe reply: Anonymous: "Re: brute force ColdFusion MX7 admin page"
• Maybe reply: me: "Re: brute force ColdFusion MX7 admin page"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:17 EDT