TYPO3 CMS news management module SQL injection vulnerability analysis with exp-a vulnerability warning-the black bar safety net

ID MYHACK58:62201785232
Type myhack58
Reporter 佚名
Modified 2017-04-14T00:00:00


Foreword By POST, to send orderByAllowed and orderBy, we will be able to control part of the SQL statement and get the injection vulnerabilities. The body The news module is TYPO3(Typo3 content management system the most commonly used one of the modules, and now will be subject toSQL injectionvulnerabilities. Although the author has in 4 months multiple times to contact the manufacturers, but so far have no fix. Now we published about the use of this exploit the details. In addition, it is noted that when the module is set overrideDemand parameter is 1, the vulnerability only in the default case can be used. Description This module is MVC architecture in a component. As a user, you can list and read the news. The former allows you to define the filtering of the message criteria, such as author, category, publish date, etc. The following is responsible for doing the NewsController. in php simplified the code fragments. Wherein the annotation is my own write:

List of parameters that cannot be set by the user

The user cannot set the parameter list

protected $ignoredSettingsForOverride = ['demandClass', 'orderByAllowed'];

This is our entry point

This is our entry point

The only parameter, $overwriteDemand, is sent via POST

The only parameter$ overwriteDemand by POST sent

public function listAction(array $overwriteDemand = null) {

Initializes a Demand Object with default settings # Use default settings for the initialization needs of the object

$demand = $this->createDemandObjectFromSettings($this->settings);

Sets up user-given settings from $overwriteDemand The # from the$ overwriteDemand set the user given set

$demand = $this->overwriteDemandObject($demand, $overwriteDemand);

Builds an SQL query from the Demand object, and runs it The # from the Demand object to build a SQL query, and run it

$newsRecords = $this->newsRepository->findDemanded($demand);

Displays the results # to display the results

$this->view->display($newsRecords); } protected function overwriteDemandObject($demand, $overwriteDemand) {

Some values cannot be set by the user: they are removed # to some value cannot be set by the user: they deleted

foreach ($this->ignoredSettingsForOverride as $property) { unset($overwriteDemand[$property]); }

Assign values that went through the filter by calling the set($value) The # by calling the set with$ value assigned by the filter value

foreach ($overwriteDemand as $propertyName = > $propertyValue) { $methodName = 'set' . ucfirst($propertyName); if(is_callable($demand, $setterMethodName)) $demand->{$setterMethodName}($propertyValue); } return $demand; } After creation, using the Demand parameters of the object to build the SQL Query: for example, set up an author as a query condition to add similar conditions to be added:

WHERE author='{$demand->getAuthor()}' Principles Any property may serve as potentialSQL injectionvector. Possible criteria listed below: public function setArchiveRestriction($archiveRestriction) public function setCategories($categories) public function setCategoryConjunction($categoryConjunction) public function setIncludeSubCategories($includeSubCategories) public function setAuthor($author) public function setTags($tags) public function setTimeRestriction($timeRestriction) public function setTimeRestrictionHigh($timeRestrictionHigh) public function setOrder($order) public function setOrderByAllowed($orderByAllowed) public function setTopNewsFirst($topNewsFirst) public function setSearchFields($searchFields) public function setTopNewsRestriction($topNewsRestriction) public function setStoragePage($storagePage) public function setDay($day) public function setMonth($month) public function setYear($year) public function setLimit($limit) public function setOffset($offset) public function setDateField($dateField) public function setSearch($search = null) public function setExcludeAlreadyDisplayedNews($excludeAlreadyDisplayedNews) public function setHideIdList($hideIdList)

[1] [2] [3] next