Hacking TYPO3 v9

•

2 recomendaciones•1,502 vistas

Hacking (insecure) TYPO3 v9 site during TYPO3camp Mitteldeutschland 2019 (T3CMD). Demonstrating impact of Cross-Site Scripting, compromised HMAC signing using (disclosed) encryption key via Insecure Deserialization as well as SQL Injection via insecure TypoScript.

Tecnología

Hacking
TYPO3
Oliver Hader
oliver@typo3.org
@ohader
TYPO3camp Mitteldeutschland
January 2019

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
~# whoami
2
▪~# whoami
▪Oliver Hader, M.Sc.
▪50% freelance web software engineer
▪50% employed at TYPO3 GmbH, Düsseldorf
▪TYPO3 security team lead (since 2019)
▪#hof, #cycling, #paramedic, #in.die.musik

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Basic Basics
3

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Web Application Security
4
▪ CIA/compliance triad
▪ confidentiality
▪ private, personal, sensitive information
▪ integrity
▪ manipulation of information (“fake news”)
▪ availability
▪ denial of service
▪ online bank account
▪ blocking information flow
https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 5
Web Application Security
Open Web Application Security Project - TOP 10 vulnerabilities
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
TYPO3 core TYPO3 3rd party extensionsPHP world
TYPO3vulnerabilitiesinpast5years

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 6
Web Application Security
OWASP - Application Security Risks
https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
7

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
8
▪ $contentId = $_GET['id'] ?? 1;
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
9
▪ sqli.php?id=1%27%20UNION%20SELECT%20 
username%20password%20FROM%20be_users 
%20LIMIT%201,1%20--%20
▪ SELECT header, bodytext FROM tt_content 
WHERE uid='1' UNION SELECT username,
password FROM be_users LIMIT 1,1 –– '
▪ Reflected SQL Injection (retrieving values)

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
10
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = htmlspecialchars($contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
11
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = escapeshellarg($contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
12
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = $connection->quote(contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
13
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = (int)contentId;
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();

Hacking
Playground 
https://github.com/
ohader/typo3v9-
hack/
14T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Hi-Jacking &
Remote Control
thanks to Cross-Site Scripting
15

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 16
Insecure Install Tool Cookie (HTTP-only flag missing)

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 17
Browser Exploitation Framework (admin/joh316)

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Upgrade User
Privileges
thanks to 
Security Misconfiguration 
& Insecure Deserialization
18

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 19
Retrieve current XSRF token

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 20
… the XSRF token to be used for next attack …

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 21
“Render” LocalConfiguration.php instead of Thumbnail

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 22
… what else can we find here?

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 23
Extbase __trustedProperties deserialisation

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 24
HMAC signing of __trustedProperties - based on encryptionKey

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 25
Common attack via GuzzleHttpPsr7FnStream callback

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 26
… having new “h4ck3r31” admin account …

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
“Anything”
thanks to insecure TypoScript 
(Cross-Site Scripting & SQL Injection)
27

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 28
GET/POST data in TypoScript - insertData injection

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 29
… retrieving arbitrary values from database …

T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 30
▪ TYPO3 Security Team needs YOU
▪ core, extension & infrastructure security
▪ GitHub, packagist.org - not only TER
▪ feedback, advise, educate
▪ analyse & hack (PoC)
▪ ask @ohader / oliver@typo3.org
TYPO3 Security Team

Más contenido relacionado

Similar a Hacking TYPO3 v9

Web Application Security Workshop (T3DD19)Oliver Hader

How to perform an Infrastructure Security Gap AnalysisCarlo Dapino

TYPO3 & GDPR, presented on the T3DD18Georg Ringer

Macro malware common techniques - publicSecurity Bootcamp

Digital Signage Systems - The Modern Hacker's OutreachZero Science Lab

annoy fraudsters using hash tablesSebastian Damm

Client Side Security - Black Hat Amsterdam 2008guest642391

ReadingSEO - Technical SEO at ScaleHayden Roche

ITCamp 2018 - Florin Coros - ‘Cloud Ready’ Design through Application Softwar...ITCamp

‘Cloud Ready’ Design through Application Software InfrastructureFlorin Coros

How we manage React Microfrontends at JobMatchMeFelix Kühl

SAST für TYPO3 ExtensionsOliver Hader

Doctrine on IBMiGuidoFaecke1

Let's write secure Drupal code! - DrupalCamp Spain 2019Balázs Tatár

MongoDB Days UK: Using MongoDB and Python for Data Analysis PipelinesMongoDB

T3DD23 Content Security Policy - Concept, Strategies & PitfallsOliver Hader

Decentralizing CI/CD Pipelines (In Go)Neil Primmer

WebAuthn - The End of the Password As We Know It?Thomas Konrad

Xamarin Under The Hood - Dan ArdeleanITCamp

MLSD18. End-to-End Machine LearningBigML, Inc

Similar a Hacking TYPO3 v9 (20)

Web Application Security Workshop (T3DD19)

How to perform an Infrastructure Security Gap Analysis

TYPO3 & GDPR, presented on the T3DD18

Macro malware common techniques - public

Digital Signage Systems - The Modern Hacker's Outreach

annoy fraudsters using hash tables

Client Side Security - Black Hat Amsterdam 2008

ReadingSEO - Technical SEO at Scale

ITCamp 2018 - Florin Coros - ‘Cloud Ready’ Design through Application Softwar...

‘Cloud Ready’ Design through Application Software Infrastructure

How we manage React Microfrontends at JobMatchMe

SAST für TYPO3 Extensions

Doctrine on IBMi

Let's write secure Drupal code! - DrupalCamp Spain 2019

MongoDB Days UK: Using MongoDB and Python for Data Analysis Pipelines

T3DD23 Content Security Policy - Concept, Strategies & Pitfalls

Decentralizing CI/CD Pipelines (In Go)

WebAuthn - The End of the Password As We Know It?

Xamarin Under The Hood - Dan Ardelean

MLSD18. End-to-End Machine Learning

Más de Oliver Hader

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"Oliver Hader

TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)Oliver Hader

TYPO3 Event SourcingOliver Hader

H4CK1N6 - Web Application SecurityOliver Hader

TYPO3 Backstage DevelopmentOliver Hader

Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...Oliver Hader

WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJSOliver Hader

Web ComponentsOliver Hader

Web application securityOliver Hader

Contribute to TYPO3 CMSOliver Hader

T3CON13DE - TYPO3 CMS TeamOliver Hader

TYPO3camp Regensburg: TYPO3 6.0Oliver Hader

TYPO3 Inline Relational Record Editing (IRRE)Oliver Hader

TYPO3 4.6 & TYPO3 4.7Oliver Hader

Más de Oliver Hader (14)

TYPO3camp Munich 2018 - Keynote - "Wo woll'n mer denn hin?"

TYPO3 CMS - Datenmodifikation & Event Sourcing (Masterarbeit)

TYPO3 Event Sourcing

H4CK1N6 - Web Application Security

TYPO3 Backstage Development

Vor- und Nachteile von Web Components mit Polymer gegenüber AngularJS ohne P...

WebGL - 3D im Browser - Erfahrungsbericht mit BabylonJS

Web Components

Web application security

Contribute to TYPO3 CMS

T3CON13DE - TYPO3 CMS Team

TYPO3camp Regensburg: TYPO3 6.0

TYPO3 Inline Relational Record Editing (IRRE)

TYPO3 4.6 & TYPO3 4.7

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung

Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1

Automating Google Workspace (GWS) & more with Apps Scriptwesley chun

Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

MINDCTI Revenue Release Quarter One 2024MIND CTI

The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los

Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services

A Domino Admins Adventures (Engage 2024)Gabriella Davis

Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal

Manulife - Insurer Innovation Award 2024The Digital Insurer

Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer

From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo

Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun

Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi

Why Teams call analytics are critical to your entire businesspanagenda

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10

Hacking TYPO3 v9

1. Hacking TYPO3 Oliver Hader oliver@typo3.org @ohader TYPO3camp Mitteldeutschland January 2019

2. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 ~# whoami 2 ▪~# whoami ▪Oliver Hader, M.Sc. ▪50% freelance web software engineer ▪50% employed at TYPO3 GmbH, Düsseldorf ▪TYPO3 security team lead (since 2019) ▪#hof, #cycling, #paramedic, #in.die.musik

3. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Basic Basics 3

4. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Web Application Security 4 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/

5. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 5 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years

6. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 6 Web Application Security OWASP - Application Security Risks https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf

7. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 7

8. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 8 ▪ $contentId = $_GET['id'] ?? 1; ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();

9. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 9 ▪ sqli.php?id=1%27%20UNION%20SELECT%20  username%20password%20FROM%20be_users  %20LIMIT%201,1%20--%20 ▪ SELECT header, bodytext FROM tt_content  WHERE uid='1' UNION SELECT username, password FROM be_users LIMIT 1,1 –– ' ▪ Reflected SQL Injection (retrieving values)

10. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 10 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = htmlspecialchars($contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();

11. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 11 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = escapeshellarg($contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();

12. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 12 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = $connection->quote(contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();

13. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Exam 13 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = (int)contentId; ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();

14. Hacking Playground  https://github.com/ ohader/typo3v9- hack/ 14T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3

15. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Hi-Jacking & Remote Control thanks to Cross-Site Scripting 15

16. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 16 Insecure Install Tool Cookie (HTTP-only flag missing)

17. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 17 Browser Exploitation Framework (admin/joh316)

18. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 Upgrade User Privileges thanks to  Security Misconfiguration  & Insecure Deserialization 18

19. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 19 Retrieve current XSRF token

20. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 20 … the XSRF token to be used for next attack …

21. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 21 “Render” LocalConfiguration.php instead of Thumbnail

22. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 22 … what else can we find here?

23. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 23 Extbase __trustedProperties deserialisation

24. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 24 HMAC signing of __trustedProperties - based on encryptionKey

25. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 25 Common attack via GuzzleHttpPsr7FnStream callback

26. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 26 … having new “h4ck3r31” admin account …

27. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 “Anything” thanks to insecure TypoScript  (Cross-Site Scripting & SQL Injection) 27

28. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 28 GET/POST data in TypoScript - insertData injection

29. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 29 … retrieving arbitrary values from database …

30. T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3 30 ▪ TYPO3 Security Team needs YOU ▪ core, extension & infrastructure security ▪ GitHub, packagist.org - not only TER ▪ feedback, advise, educate ▪ analyse & hack (PoC) ▪ ask @ohader / oliver@typo3.org TYPO3 Security Team

Hacking TYPO3 v9

Recomendados

Recomendados

Más contenido relacionado

Similar a Hacking TYPO3 v9

Similar a Hacking TYPO3 v9 (20)

Más de Oliver Hader

Más de Oliver Hader (14)

Último

Último (20)

Hacking TYPO3 v9