Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

Typo3 Default Encryption Keys

typo3Typo3 Default Encryption Keys [Proof of Concept]

As detailed in the “Typo3 – Encryption Key” vulnerability announcement (Typo3-sa-2009-001) the Proof of Concept code used for re-creating the default Typo3 encryption keys, as well as offline  Dictionary attacks against Typo3 encryption keys can be found below. A new Python script is also available for download that performs both attacks against known Encryption Keys, as well as Dictionary based attacks. The Python script can also be used to create a valid malicious URL using the recovered Encryption Key.

The video is bet viewed in HD quality, you can click through on the video above, or use the shortcut below to directly access it on the Vimeo site.

NOTE: These PoC scripts are designed to display the vulnerability and not be used in unathorised hacking of Typo3 systems.

Python Typo3 – Encryption Key Tool (version 1.22)

This PoC python script can be used to perform offline an dictionary attack attempts against Typo3 servers. The python script takes a URL as input and attempts to discover the Typo3 Encryption Key using the known default keys (1000), as well as dictionary style attack (using a user defined dictionary). If the encryption key is recovered the script will also give the user an option to create a malicous link with a newly created (and valid) MD5 hash. Information is required from a valid Typo3 showpic.php to perform this attack.

NOTE: Version 1.22 corrected a slight typing mistake in the attack string creation portion of the script. bodytag should be bodyTag, small but fatal error when trying to match an MD5 😉

Outdated: Shell Script – Typo3 – Encryption Key Dictionary Attack script

This PoC shell script can be used to perform an offline dictionary attack against Typo3 servers. Information is required from a valid Typo3 showpic.php to perform this attack. –> This method is outdated. Please see the Python script above as a replacement to this script.

Outdated: Shell Script – Typo3 – Default Encryption Key Generator

This PoC shell script creates an output of all possible default encryption keys (based on Typo3 4.2.3) –> This method is outdated. Please see the Python script above as a replacement to this script.

Typo3 – Default Keys (Typo3 <version 4.2.3)

This file contains a pre-compiled list of default encryption keys (based on Typo3 4.2.3).

14 responses to “Typo3 Default Encryption Keys

← Older Comments
  1. floyd May 18, 2010 at 20:41

    Hey Chris,

    thanks for the script, it still works!

    cheers
    floyd

  2. Pingback: UATester Alpha « ©атсн²² (in)sесuяitу

  3. Reuben Mcdowell November 7, 2012 at 13:19

    The Python program can also be used to make a real harmful URL using the retrieved Security Key.

  4. ChrisJohnRiley November 15, 2012 at 10:07

    … the Metasploit module is probably better used for that though 😉

← Older Comments
%d bloggers like this: