This utility exists to help locate CFML engine administration interfaces that have a greater exposure than intended. It scans URLs generated by target definitions and attempts to identify the login page by page title.
From the project root, initialize a Python virtual environment and activate:
$ python3 -m venv env
$ . env/bin/activate
Install the project requirements. The (env) $ prompt is just a reminder (to myself).
(env) $ pip install -r requirements.txt
The program reads a JSON file containing targets to scan. It logs information found while scanning. Apparent instances of the Lucee and Adobe ColdFusion administrator interfaces are logged as warnings.
(env) $ ./scan.py targets.json
The JSON file is an array of target definitions of the following types:
The program will expand one hostname or multiple hostnames to check for administrator interfaces at both protocol schemes and from both CFML engine vendors. Consider the following chunk of JSON:
[
{
"hostname": [
"domain.tld",
"app.domain.tld"
]
}
]
Those two hostnames will be expanded to cause the following scanned URLs:
- http://domain.tld/lucee/admin/server.cfm
- https://domain.tld/lucee/admin/server.cfm
- http://domain.tld/CFIDE/administrator/index.cfm
- https://domain.tld/CFIDE/administrator/index.cfm
- http://app.domain.tld/lucee/admin/server.cfm
- https://app.domain.tld/lucee/admin/server.cfm
- http://app.domain.tld/CFIDE/administrator/index.cfm
- https://app.domain.tld/CFIDE/administrator/index.cfm
One or more IP addresses can be provided as a target definition:
[
{
"ip": "1.2.3.4"
}
]
For this target definition, https expansion will not be performed. These are the resulting URLs to be scanned:
If interest exists, this target definition could be enhanced to scan a given CIDR expression.
This target definition allows one or more base URLs to be used with CFML engine vendor expansion:
[
{
"baseurl": [
"http://app01.domain.tld:8080",
"http://app01.domain.tld:8081"
]
}
]
This target definition will expand to the following URLs:
- http://app01.domain.tld:8080/lucee/admin/server.cfm
- http://app01.domain.tld:8080/CFIDE/administrator/index.cfm
- http://app01.domain.tld:8081/lucee/admin/server.cfm
- http://app01.domain.tld:8081/CFIDE/administrator/index.cfm
The URL target definition explicitly defines a location to scan; no expansion will be performed. This allows specifying a non-standard location to evaluate:
[
{
"url": [
"https://admin.domain.tld:8889/admin/cfml/"
]
}
]
The program will scan only the URL provided, and display a warning if HTTP 200 OK is returned. To help identify false positives, the title of the HTML page is logged. A project enhancement might be to accept strings to seek in the content.
It is possible to skip target definitions by adding the skip property. For example:
[
{
"hostname": "domain.tld",
"skip": true
}
]
Since JSON doesn't allow comments without hackery, it can be difficult to include in-line documentation. The description property is suggested for this purpose:
[
{
"description": "This is the new server to be validated",
"hostname": "new.domain.tld"
}
]
If scanning for both CFML engine vendor administration interfaces is unnecessary, use the vendor command line argument argument to specify lucee or adobe:
(env) $ ./scan.py --vendor lucee targets.json
This will reduce the number of URLs scanned for target definitions that perform expansion.
The loglevel may be adjusted to see more detail about which URLs were actually scanned:
(env) $ ./scan.py --loglevel INFO targets.json
Please report any issues using https://github.com/ecivis/scan-cfml-admin/issues
- A better reporting mechanism needs to be designed to express the result of scanning.
- Support for a range of ports to be scanned; perhaps as an addition to the hostname target definition.
This project is available under the MIT License. See LICENSE.