Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Can I get the source of a hacked Coldfusion template?

Tags:

coldfusion

coldfusion-9

We recently had a hacker gain access to our system. They dumped some Coldfusion templates and included them in random pages on our sites.

The files they dump start with Allaire Cold Fusion Template and then contain what appears to be "garbage", but I believe that this is some kind of pre-compiled Coldfusion code.

We've cleared out the hacks, but I saved off the files because I was hoping that there would be some way to de-compile them and maybe make some sense of them. Although I think the hack is dealt with, I am a little worried about what this code was doing. (When I looked at the source of a page that included this code, it created no output, so something had to be going on in the background.)

If there isn't a way, that's cool, I just thought I would at least investigate the possibility of seeing what these files were doing. Thanks in advance for any help.

like image 602
jzimmerman2011 Avatar asked Feb 06 '13 15:02

jzimmerman2011

2 Answers

Wow, you have awakened some of my "old" brain cells... Way back when you could encrypt your ColdFusion templates and they could still be run on a ColdFusion server. This encryption was not very secure as the decrypting algorithm was readily available. It was/is an easy way to "hide" your code from the unknowing (I guess).

I did a quick Google search and found an old reference to a decrypt function on Adobe's site that may help "crack" that code. AB Positive Encrypt and Decrypt I believe their code would have to be encrypted this way otherwise the ColdFusion server would not be able to read the files either. This download includes the cfdecrypt.exe and cfencode.exe programs.

If that tool does not work and if I remember correctly, the ColdFusion encryption before CFMX was done using something called CFCrypt.exe. That was an older versions of ColdFusion I think but you can try using that too. I couldn't find it but I'm sure if you Google for it can be found.

Please post back with your results. I'm interested to see what they were doing.

like image 73
Miguel-F Avatar answered Oct 23 '22 03:10

Miguel-F

There is a program out there cfdecrypt that will help you decompile them. I haven't used it in years, but here is a link I found to a github project:

https://github.com/disccomp/cfdecrypt

like image 23
steve Avatar answered Oct 23 '22 03:10

steve
Sign in to Comment

Related questions

Why can't I attach my uploaded file to an email?
Running ColdFusion as a specific user
the var keyword in coldfusion and how many times to use it
How to emulate a real http request via cfhttp?
Coldfusion Query loop works in cf10 but not 9
coldfusion object v10 vs. v9
Connection Verification Failed while attempting to verify mail setting in ColdFusion 10 administrator
Scoping: Local vs Var
Encrypting in Coldfusion and then decrypting in PHP
ColdFusion: How can I generate a spreadsheet without saving it as a file?
Parsing version numbers to real numbers
Is it good practice to end coldfusion self-closing tags with "/>"?
how to create xlsx files using coldfusion
ColdFusion 2018 Admin Console Shows Indestructible Search Bar
Get Coldfusion to parse a json request
Coldfusion 10 returnformat="JSON" adding characters
How to structure a master page with coldfusion?
ColdFusion: Multiple SQL statements in a query?
Error consuming web service: An existing connection was forcibly closed
Passing and returning ColdFusion Structure via JQuery

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!