Module: Msf::Exploit::Remote::HTTP::Typo3::Login

Included in:
Msf::Exploit::Remote::HTTP::Typo3
Defined in:
lib/msf/core/exploit/remote/http/typo3/login.rb

Instance Method Summary collapse

Instance Method Details

verifies cookies by calling the backend and checking the response

Parameters:

  • cookiestring (String)

    The http cookies as a concatenated string

Returns:

  • (Boolean)

    true if the cookie is valid, false otherwise



80
81
82
83
84
85
86
87
88
89
 
# File 'lib/msf/core/exploit/remote/http/typo3/login.rb', line 80

def typo3_admin_cookie_valid?(cookiestring)
  res_check = send_request_cgi({
    'method' => 'GET',
    'uri' => typo3_url_backend,
    'cookie' => cookiestring,
    'headers' => {'Referer' => full_uri}
  })
  return true if res_check and res_check.code == 200 and res_check.body and res_check.body =~ /<body [^>]+ id="typo3-backend-php">/
  return false
end

#typo3_backend_login(user, pass) ⇒ String?

performs a typo3 backend login

Parameters:

  • user (String)

    Username

  • pass (String)

    Password

Returns:

  • (String, nil)

    the session cookies as a single string on successful login, nil otherwise



9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/msf/core/exploit/remote/http/typo3/login.rb', line 9

def (user, pass)
  # get login page for RSA modulus and exponent
  res_main = send_request_cgi({
    'method' => 'GET',
    'uri' => 
  })

  unless res_main and res_main.code == 200
    vprint_error('Can not reach login page')
    return nil
  end

  e_match = res_main.body.match(/<input type="hidden" id="rsa_e" name="e" value="(\d+)" \/>/)
  if e_match.nil?
    vprint_error('Can not find rsa_e value')
    return nil
  end
  e = e_match[1]

  n_match = res_main.body.match(/<input type="hidden" id="rsa_n" name="n" value="(\w+)" \/>/)
  if n_match.nil?
    vprint_error('Can not find rsa_n value')
    return nil
  end
  n = n_match[1]

  vprint_status("e: #{e}")
  vprint_status("n: #{n}")
  rsa_enc = (e, n, pass)
  vprint_status("RSA Hash: #{rsa_enc}")
  # make login request
  vars_post = {
    'n' => '',
    'e' => '',
    'login_status' => 'login',
    'userident' => rsa_enc,
    'redirect_url' => 'backend.php',
    'loginRefresh' => '',
    'interface' => 'backend',
    'username' => user,
    'p_field' => '',
    'commandLI' => 'Login'
  }
   = send_request_cgi({
    'method' => 'POST',
    'uri' => ,
    'cookie' => res_main.get_cookies,
    'vars_post' => vars_post,
    'headers' => {'Referer' => full_uri}
  })
  if 
    if .body =~ /<!-- ###LOGIN_ERROR### begin -->(.*)<!-- ###LOGIN_ERROR### end -->/im
      vprint_status(strip_tags($1))
      return nil
    elsif .body =~ /<p class="t3-error-text">(.*?)<\/p>/im
      vprint_status(strip_tags($1))
      return nil
    else
      cookies = .get_cookies
      return cookies if typo3_admin_cookie_valid?(cookies)
      return nil
    end
  end

  return nil
end