Download as PDF, PPTX
![T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
8
▪ $contentId = $_GET['id'] ?? 1;
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();](https://image.slidesharecdn.com/hackingtypo3-190126095022/75/Hacking-TYPO3-v9-8-2048.jpg)
![T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
10
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = htmlspecialchars($contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();](https://image.slidesharecdn.com/hackingtypo3-190126095022/75/Hacking-TYPO3-v9-10-2048.jpg)
![T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
11
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = escapeshellarg($contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();](https://image.slidesharecdn.com/hackingtypo3-190126095022/75/Hacking-TYPO3-v9-11-2048.jpg)
![T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
12
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = $connection->quote(contentId);
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();](https://image.slidesharecdn.com/hackingtypo3-190126095022/75/Hacking-TYPO3-v9-12-2048.jpg)
![T3CMD19 TYPO3camp Mitteldeutschland 2019 - Hacking TYPO3
Exam
13
▪ $contentId = $_GET['id'] ?? 1;
▪ // alright, what shall we do here?
▪ $contentId = (int)contentId;
▪ $statement = $connection->query($q="
▪ SELECT header,bodytext FROM tt_content
▪ WHERE uid='$contentId'
▪ ");
▪ $content = $statement->fetch();](https://image.slidesharecdn.com/hackingtypo3-190126095022/75/Hacking-TYPO3-v9-13-2048.jpg)
Uploaded byOliver Hader
Hacking TYPO3 v9
The document presents a talk by Oliver Hader at Typo3Camp Mitteldeutschland 2019, focusing on web application security, particularly vulnerabilities associated with Typo3. It covers the Open Web Application Security Project's top vulnerabilities, SQL injection examples, and security misconfigurations in Typo3 installations. Hader emphasizes the importance of security awareness and contributions to the Typo3 security team for improved core and extension security.
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
Hacking TYPO3 v9
- 1.
- 2. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 ~# whoami 2 ▪~# whoami ▪Oliver Hader, M.Sc. ▪50% freelance web software engineer ▪50% employed at TYPO3 GmbH, Düsseldorf ▪TYPO3 security team lead (since 2019) ▪#hof, #cycling, #paramedic, #in.die.musik
- 3. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Basic Basics 3
- 4. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Web Application Security 4 ▪ CIA/compliance triad ▪ confidentiality ▪ private, personal, sensitive information ▪ integrity ▪ manipulation of information (“fake news”) ▪ availability ▪ denial of service ▪ online bank account ▪ blocking information flow https://www.ibm.com/blogs/cloud-computing/2018/01/16/drive-compliance-cloud/
- 5. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 5 Web Application Security Open Web Application Security Project - TOP 10 vulnerabilities https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf TYPO3 core TYPO3 3rd party extensionsPHP world TYPO3vulnerabilitiesinpast5years
- 6. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 6 Web Application Security OWASP - Application Security Risks https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf
- 7. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 7
- 8. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 8 ▪ $contentId = $_GET['id'] ?? 1; ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();
- 9. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 9 ▪ sqli.php?id=1%27%20UNION%20SELECT%20 username%20password%20FROM%20be_users %20LIMIT%201,1%20--%20 ▪ SELECT header, bodytext FROM tt_content WHERE uid='1' UNION SELECT username, password FROM be_users LIMIT 1,1 –– ' ▪ Reflected SQL Injection (retrieving values)
- 10. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 10 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = htmlspecialchars($contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();
- 11. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 11 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = escapeshellarg($contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();
- 12. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 12 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = $connection->quote(contentId); ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();
- 13. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Exam 13 ▪ $contentId = $_GET['id'] ?? 1; ▪ // alright, what shall we do here? ▪ $contentId = (int)contentId; ▪ $statement = $connection->query($q=" ▪ SELECT header,bodytext FROM tt_content ▪ WHERE uid='$contentId' ▪ "); ▪ $content = $statement->fetch();
- 14.
- 15. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Hi-Jacking & Remote Control thanks to Cross-Site Scripting 15
- 16. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 16 Insecure Install Tool Cookie (HTTP-only flag missing)
- 17. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 17 Browser Exploitation Framework (admin/joh316)
- 18. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 Upgrade User Privileges thanks to Security Misconfiguration & Insecure Deserialization 18
- 19. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 19 Retrieve current XSRF token
- 20. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 20 … the XSRF token to be used for next attack …
- 21. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 21 “Render” LocalConfiguration.php instead of Thumbnail
- 22. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 22 … what else can we find here?
- 23. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 23 Extbase __trustedProperties deserialisation
- 24. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 24 HMAC signing of __trustedProperties - based on encryptionKey
- 25. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 25 Common attack via GuzzleHttpPsr7FnStream callback
- 26. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 26 … having new “h4ck3r31” admin account …
- 27. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 “Anything” thanks to insecure TypoScript (Cross-Site Scripting & SQL Injection) 27
- 28. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 28 GET/POST data in TypoScript - insertData injection
- 29. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 29 … retrieving arbitrary values from database …
- 30. T3CMD19 TYPO3camp Mitteldeutschland2019 - Hacking TYPO3 30 ▪ TYPO3 Security Team needs YOU ▪ core, extension & infrastructure security ▪ GitHub, packagist.org - not only TER ▪ feedback, advise, educate ▪ analyse & hack (PoC) ▪ ask @ohader / oliver@typo3.org TYPO3 Security Team