Tools/Scripts

UATester [Alpha Version]

This tool is designed to automatically check a given URL using a list of standard and non-standard User Agent strings provided by the user (1 per line). The results of these checks are then reported to the user for further manual analysis where required. Gathered data includes response codes, resulting URL in the case of a 30x response, MD5 and length of response body, and select Server headers.

The results returned detail only the changes between the initial reference request and the new request (with altered user-agent string). For full output us the verbose setting.

UATester is still in Alpha and a work in progress, use at your own risk

UATester –> Project Download

Blogpost discussing usage –> UATester Alpha (20.06.2010)

typo3Typo3 Default Encryption Keys [Proof of Concept]

As detailed in the “Typo3 – Encryption Key” vulnerability announcement (Typo3-sa-2009-001) the Proof of Concept code used for re-creating the default Typo3 encryption keys, as well as offline  Dictionary attacks against Typo3 encryption keys can be found below. A new Python script is also available for download that performs both attacks against known Encryption Keys, as well as Dictionary based attacks. The Python script can also be used to create a valid malicious URL using the recovered Encryption Key.

NOTE: These PoC scripts are designed to display the vulnerability and not be used in unathorised hacking of Typo3 systems.

Python - Typo3 – Encryption Key Tool (version 1.22)

This PoC python script can be used to perform offline an dictionary attack attempts against Typo3 servers. The python script takes a URL as input and attempts to discover the Typo3 Encryption Key using the known default keys (1000), as well as dictionary style attack (using a user defined dictionary). If the encryption key is recovered the script will also give the user an option to create a malicous link with a newly created (and valid) MD5 hash. Information is required from a valid Typo3 showpic.php to perform this attack.

NOTE: Version 1.22 corrected a slight typing mistake in the attack string creation portion of the script. bodytag should be bodyTag, small but fatal error when trying to match an MD5 ;)

Outdated: Shell Script - Typo3 – Encryption Key Dictionary Attack script

This PoC shell script can be used to perform an offline dictionary attack against Typo3 servers. Information is required from a valid Typo3 showpic.php to perform this attack. –> This method is outdated. Please see the Python script above as a replacement to this script.

Outdated: Shell Script – Typo3 – Default Encryption Key Generator

This PoC shell script creates an output of all possible default encryption keys (based on Typo3 4.2.3) –> This method is outdated. Please see the Python script above as a replacement to this script.

Typo3 – Default Keys (Typo3 <version 4.2.3)

This file contains a pre-compiled list of default encryption keys (based on Typo3 4.2.3).

12 Responses to Tools/Scripts

  1. Pingback: Typo3 Weak Encryption Key « Ramblings of the änal security guy

  2. Jim | July 15, 2009 at 20:13 |

    Thx for the demonstration! But what version of Python is requiered for the script? I tried 2.5,2.6 and 3.1…. I always get some error, it seems that that the script could not split the string. The best version with the less errors was 2.5. greetings jim

  3. ChrisJohnRiley | July 16, 2009 at 15:54 |

    Hi Jim,

    Glad you liked the demo/tool. It was developed using Python 2.5.1 and tested on Debian / SuSE and Backtrack 3. Can you give me details of the error message and I’ll see if I can troubleshoot.

    The URL should look something like this .:

    http://localhost:8503/index.php?eID=tx_cms_showpic&file=uploads%2Fpics%2Fjonathan.jpg&width=800m&height=600m&bodyTag=%3Cbody%20bgcolor%3D%22black%22%3E&wrap=%3Ca%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2Fa%3E&md5=78f4d21442cb4dc8281f6585adaee960

    If you take a look into the script it’s pretty easy to see what it’s doing.

    Checkout http://storage.c22.cc/TYPO3-InsecureRandomness.txt for a breakdown of the problem if you’ve not already seen it.

  4. Jim | July 18, 2009 at 18:19 |

    Hi Chris,

    thank for your answer! I have alrady looked in this script, and I see what it is doing. But I’m not able to find the mistake…
    Now I tried it with 2.5 on WinXP. I used the command: python TYPO3EncKeyTool.py –default –url http://mydomain.de/index.php?eID=tx_cms_showpic&file=uploads%2Ftx_mmdamfilelist%2Ftemp_63662056a4.jpg&width=400&wrap=%3CA%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2FA%3E&md5=0602930af0dd42d6d998080e120a848e

    He splits the first part of the url right (“http://mydomain.de/index.php?eID=tx_cms_showpic”
    then he writes: “Test string: <… BRUTE FORCE …."
    the "Desired MD5: "
    "Beginning defaul Entcryton Key attack
    Default Hash not found.

    The Command "file" is worng or could not be found.
    The Command "width" is worng or could not be found.
    The Command "warp" is worng or could not be found.
    The Command "md5" is worng or could not be found.

    "

  5. ChrisJohnRiley | July 18, 2009 at 18:35 |

    Ok, I think the issue is that you need to put the URL between single quotes ‘ ‘ to get it fully into the script. If you don’t then it will get splitup into seperate commands due to the pipe and ampersand symbols.

  6. Jim | July 18, 2009 at 20:22 |

    no, i had tried this at the beginning of testing. When i use the single quotes I get the Message in the script:

    Data extracted from URL .:

    Base URL | http://’http://mydomain.de/index.php?eID=tx_cms_showpic

    ——————————————-

    Attempting to find a matching MD5
    ——————————————-

    Test string | ||||||||
    ——————————————-

    Desired MD5 |
    ——————————————-

    Beginning default Encryption Key attack

    The http:// seems to be double….

  7. jim | July 19, 2009 at 02:22 |

    now I had used a double quote. IT seems to work better on XP

    Data extracted from URL .:

    Base URL | http://mydomain.de/index.php?eID=tx_cms_showpic
    file | uploads%2Ftx_mmdamfilelist%2Ftemp_63662056a4.jpg
    width | 400
    wrap | %3CA%20href%3D%22javascript%3Aclose%28%29%3B%22%3E%20%7C%20%3C%2FA%
    3E
    md5 | 0602930af0dd42d6d998080e120a848e

    ——————————————————————————–

    Attempting to find a matching MD5
    ——————————————————————————–

    Test string | uploads/tx_mmdamfilelist/temp_63662056a4.jpg|400||||| | ||
    ——————————————————————————–

    Desired MD5 | 0602930af0dd42d6d998080e120a848e
    ——————————————————————————–

    Traceback (most recent call last):
    File “TYPO3EncKeyTool.py”, line 238, in
    main()
    File “TYPO3EncKeyTool.py”, line 88, in main
    if default == True: # Attempt to check default Typo3 Encryption keys
    NameError: global name ‘default’ is not defined

  8. ChrisJohnRiley | July 19, 2009 at 09:44 |

    Ok, I’ve not tested the script under Windows. Shoot me the test string (hide the domain as in your above posts) and I’ll take a look and see if it runs on my test rig.

    contact [AT] c22 [DOT] cc

  9. Scripto | December 6, 2009 at 10:32 |

    Nice post..Keep them coming :) Thanks for sharing.

  10. Pingback: Typo3 encryptionKey « floyd's

  11. floyd | May 18, 2010 at 20:41 |

    Hey Chris,

    thanks for the script, it still works!

    cheers
    floyd

  12. Pingback: UATester Alpha « ©атсн²² (in)sесuяitу

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <pre> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>