Tools/Scripts
Proof of Concepts
Typo3 Default Encryption Keys
As detailed in the “Typo3 – Encryption Key” vulnerability announcement (Typo3-sa-2009-001) the Proof of Concept code used for re-creating the default Typo3 encryption keys, as well as offline Dictionary attacks against Typo3 encryption keys can be found below. A new Python script is also available for download that performs both attacks against known Encryption Keys, as well as Dictionary based attacks. The Python script can also be used to create a valid malicious URL using the recovered Encryption Key.
NOTE: These PoC scripts are designed to display the vulnerability and not be used in unathorised hacking of Typo3 systems.
Python - Typo3 – Encryption Key Tool (version 1.22)
This PoC python script can be used to perform offline an dictionary attack attempts against Typo3 servers. The python script takes a URL as input and attempts to discover the Typo3 Encryption Key using the known default keys (1000), as well as dictionary style attack (using a user defined dictionary). If the encryption key is recovered the script will also give the user an option to create a malicous link with a newly created (and valid) MD5 hash. Information is required from a valid Typo3 showpic.php to perform this attack.
NOTE: Version 1.22 corrected a slight typing mistake in the attack string creation portion of the script. bodytag should be bodyTag, small but fatal error when trying to match an MD5 
Outdated: Shell Script - Typo3 – Encryption Key Dictionary Attack script
This PoC shell script can be used to perform an offline dictionary attack against Typo3 servers. Information is required from a valid Typo3 showpic.php to perform this attack. –> This method is outdated. Please see the Python script above as a replacement to this script.
Outdated: Shell Script – Typo3 – Default Encryption Key Generator
This PoC shell script creates an output of all possible default encryption keys (based on Typo3 4.2.3) –> This method is outdated. Please see the Python script above as a replacement to this script.
Typo3 – Default Keys (Typo3 <version 4.2.3)
This file contains a pre-compiled list of default encryption keys (based on Typo3 4.2.3).
Typo3 Weak Encryption Key « Ramblings of the änal security guy said
[...] Tools/Scripts [...]
Jim said
Thx for the demonstration! But what version of Python is requiered for the script? I tried 2.5,2.6 and 3.1…. I always get some error, it seems that that the script could not split the string. The best version with the less errors was 2.5. greetings jim
ChrisJohnRiley said
Hi Jim,
Glad you liked the demo/tool. It was developed using Python 2.5.1 and tested on Debian / SuSE and Backtrack 3. Can you give me details of the error message and I’ll see if I can troubleshoot.
The URL should look something like this .:
http://localhost:8503/index.php?eID=tx_cms_showpic&file=uploads%2Fpics%2Fjonathan.jpg&width=800m&height=600m&bodyTag=%3Cbody%20bgcolor%3D%22black%22%3E&wrap=%3Ca%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2Fa%3E&md5=78f4d21442cb4dc8281f6585adaee960
If you take a look into the script it’s pretty easy to see what it’s doing.
Checkout http://storage.c22.cc/TYPO3-InsecureRandomness.txt for a breakdown of the problem if you’ve not already seen it.
Jim said
Hi Chris,
thank for your answer! I have alrady looked in this script, and I see what it is doing. But I’m not able to find the mistake…
Now I tried it with 2.5 on WinXP. I used the command: python TYPO3EncKeyTool.py –default –url http://mydomain.de/index.php?eID=tx_cms_showpic&file=uploads%2Ftx_mmdamfilelist%2Ftemp_63662056a4.jpg&width=400&wrap=%3CA%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2FA%3E&md5=0602930af0dd42d6d998080e120a848e
He splits the first part of the url right (“http://mydomain.de/index.php?eID=tx_cms_showpic”
then he writes: “Test string: <… BRUTE FORCE …."
the "Desired MD5: "
"Beginning defaul Entcryton Key attack
Default Hash not found.
The Command "file" is worng or could not be found.
The Command "width" is worng or could not be found.
The Command "warp" is worng or could not be found.
The Command "md5" is worng or could not be found.
"
ChrisJohnRiley said
Ok, I think the issue is that you need to put the URL between single quotes ‘ ‘ to get it fully into the script. If you don’t then it will get splitup into seperate commands due to the pipe and ampersand symbols.
Jim said
no, i had tried this at the beginning of testing. When i use the single quotes I get the Message in the script:
Data extracted from URL .:
Base URL | http://’http://mydomain.de/index.php?eID=tx_cms_showpic
——————————————-
Attempting to find a matching MD5
——————————————-
Test string | ||||||||
——————————————-
Desired MD5 |
——————————————-
Beginning default Encryption Key attack
The http:// seems to be double….
jim said
now I had used a double quote. IT seems to work better on XP
Data extracted from URL .:
Base URL | http://mydomain.de/index.php?eID=tx_cms_showpic
file | uploads%2Ftx_mmdamfilelist%2Ftemp_63662056a4.jpg
width | 400
wrap | %3CA%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2FA%
3E
md5 | 0602930af0dd42d6d998080e120a848e
——————————————————————————–
Attempting to find a matching MD5
——————————————————————————–
Test string | uploads/tx_mmdamfilelist/temp_63662056a4.jpg|400||||| | ||
——————————————————————————–
Desired MD5 | 0602930af0dd42d6d998080e120a848e
——————————————————————————–
Traceback (most recent call last):
File “TYPO3EncKeyTool.py”, line 238, in
main()
File “TYPO3EncKeyTool.py”, line 88, in main
if default == True: # Attempt to check default Typo3 Encryption keys
NameError: global name ‘default’ is not defined
ChrisJohnRiley said
Ok, I’ve not tested the script under Windows. Shoot me the test string (hide the domain as in your above posts) and I’ll take a look and see if it runs on my test rig.
contact [AT] c22 [DOT] cc
Scripto said
Nice post..Keep them coming
Thanks for sharing.