We help IT Professionals succeed at work.

Hacker Uploaded CFM Shell File

seeraig asked
someone has uploaded a shell file to our server, I believe it was done through some kind of sql injection. Attached is the file, can someone give me more details on exactly what the file does. It looks like it could be for de-facing or for capturing your files, but can someone give me more exact details on the nature of this shell file?
Watch Question

I do not have the time to dissect the whole file but it looks like it was designed to delete the files in a folder and replace them. Looks like it was meant to phone home with an email. Are the rest of your files OK? It also looks like it was designed to harvest your data source so it may be this file was there first then the SQL stuff happened.


Can anyone provide some additional details?
Most Valuable Expert 2015
It looks like it's doing more than that.  There's code to

= list server directories, files, and file sizes
= Display the contents of server files
= delete/copy/move/create/modify server files and directories
= Upload and download files to and from the server.
= code to run arbitrary commands via cfexecute
= code to get information about the CF, o/s, datasource configuration, etc...

It may be doing more. But once you can manipulate server files and execute commands you pretty much run the table.

fwiw - according to an online translator most of the html escaped chars are vietnamese phrases like "move file from x to y". "is this file..etc.."
What agx said is correct it has the code to get ur cf details config , datasource etc .

That is why you should be very careful with upload option and following steps should be taken

1) Upload option should be restricted for selected files using accept attribute but The cffile accept attribute uses the mime type that your browser sends to the server.  browser tells cffile what the mime type is. It's very easy to spoof the mime type So better to check for file ext after upload and there are some API's available to check File Extension matches File Format.
2) Upload location should be out side ur web root, This is important as this will not allow hackers to execute it.
3) Remove execute permissions from directories where we are uploading

of at least equal importance is how the file was uploaded. an unpatched version of cf 8 & 8.01 was vulnerable to file upload due to a flaw in fckeditor http://www.adobe.com/support/security/bulletins/apsb09-09.html

also all queries should be protected with cfqueryparam...


Other than a file upload mechanism, are there other ways that a file could be placed onto a server? Not ways via direct access to server, but through vulnerabilities in web application, ie cross-site scripting, sql injection, etc

Some one can place a file either through file upload or FTP
Do you have WebDAV enabled?
aside from the obvious flaws like the fckeditor, SQL injection is probably the most common way - if your code is vulnerable to injection (ie: you didn't use cfqueryparam) then it's possible for the machine to be completely compromised with just a bit of effort ie: reading this http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf

There's also a MIME spoofing attack http://www.raymondcamden.com/index.cfm/2009/6/30/Are-you-aware-of-the-MIMEFile-Upload-Security-Issue

There's a pretty good read on how to clean up a shell compromised server here