dash/Typo3Scan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

0.6.3

Browse Source
This commit is contained in:
whoot
2020-09-21 10:45:05 -04:00
parent 1da64224ee
commit 9856c2f35b
6 changed files with 25 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
doc/CHANGELOG.md
View File

@@ -1,6 +1,7 @@
## Version 0.6.3 ## Version 0.6.3
* Fixed advisory URLs * Fixed advisory URLs
* Fixed rootCheck
## Version 0.6.2 ## Version 0.6.2

2
lib/config.json
View File

@@ -1 +1 @@
{"threads": 5, "timeout": 10, "cookie": "", "auth": "", "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/537.13+ (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2"} {"threads": 5, "timeout": 10, "cookie": "", "auth": "", "User-Agent": "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36"}

42
lib/domain.py
View File

@@ -91,14 +91,13 @@ class Domain:
If found, it searches for a Typo3 path reference If found, it searches for a Typo3 path reference
in order to determine the Typo3 installation path. in order to determine the Typo3 installation path.
""" """
response = request.get_request('{}'.format(self.get_name()))
self.set_name(response['url'][:-1])
full_path = self.get_name() full_path = self.get_name()
response = request.get_request('{}'.format(self.get_name()))
if re.search('powered by TYPO3', response['html']): if re.search('powered by TYPO3', response['html']):
self.set_typo3() self.set_typo3()
path = re.search('="(?:{})/?(\S*?)/?(?:typo3temp|typo3conf)/'.format(self.get_name()), response['html']) path = re.search('="(?:{})/?(\S*?)/?(?:typo3temp|typo3conf)/'.format(self.get_name()), response['html'])
if path and path.group(1) != '': if path and path.group(1) != '':
full_path = '{}/{}'.format(self.get_name(), path) full_path = '{}/{}'.format(self.get_name(), path)
self.set_path(full_path) self.set_path(full_path)
def check_default_files(self): def check_default_files(self):
@@ -144,19 +143,19 @@ class Domain:
and searches for a specific string in the title or the response. and searches for a specific string in the title or the response.
If the access is forbidden (403), extension search is still possible. If the access is forbidden (403), extension search is still possible.
""" """
print('[+] Backend Login') print(' [+] Backend Login')
# maybe /typo3_src/typo3/index.php too? # maybe /typo3_src/typo3/index.php too?
response = request.get_request('{}/typo3/index.php'.format(self.get_path())) response = request.get_request('{}/typo3/index.php'.format(self.get_path()))
searchTitle = re.search('<title>(.*)</title>', response['html']) searchTitle = re.search('<title>(.*)</title>', response['html'])
if searchTitle and 'Login' in searchTitle.group(0): if searchTitle and 'Login' in searchTitle.group(0):
print(' \u251c {}'.format(Fore.GREEN + '{}/typo3/index.php'.format(self.get_path()) + Fore.RESET)) print(' \u251c {}'.format(Fore.GREEN + '{}/typo3/index.php'.format(self.get_path()) + Fore.RESET))
self.set_backend('{}/typo3/index.php'.format(self.get_path())) self.set_backend('{}/typo3/index.php'.format(self.get_path()))
elif ('Backend access denied: The IP address of your client' in response['html']) or (response['status_code'] == 403): elif ('Backend access denied: The IP address of your client' in response['html']) or (response['status_code'] == 403):
print(' \u251c {}'.format(Fore.GREEN + '{}/typo3/index.php'.format(self.get_path()) + Fore.RESET)) print(' \u251c {}'.format(Fore.GREEN + '{}/typo3/index.php'.format(self.get_path()) + Fore.RESET))
print(' \u251c {}'.format(Fore.YELLOW + 'But access is forbidden (IP Address Restriction)' + Fore.RESET)) print(' \u251c {}'.format(Fore.YELLOW + 'But access is forbidden (IP Address Restriction)' + Fore.RESET))
self.set_backend('{}/typo3/index.php'.format(self.get_path())) self.set_backend('{}/typo3/index.php'.format(self.get_path()))
else: else:
print(' \u251c {}'.format(Fore.RED + 'Could not be found' + Fore.RESET)) print(' \u251c {}'.format(Fore.RED + 'Could not be found' + Fore.RESET))
def search_typo3_version(self): def search_typo3_version(self):
""" """
@@ -185,19 +184,20 @@ class Domain:
} }
version = None version = None
version_path = None
for path, regex in files.items(): for path, regex in files.items():
response = request.version_information('{}/{}'.format(self.get_path(), path), regex) response = request.version_information('{}/{}'.format(self.get_path(), path), regex)
if response and (version is None or (len(response) > len(version))): if response and (version is None or (len(response) > len(version))):
version = response version = response
version_path = path version_path = path
print(' |\n[+] Version Information') print(' | \n [+] Version Information')
if version: if version:
print(' \u251c Identified Version: '.ljust(28) + '{}'.format(Style.BRIGHT + Fore.GREEN + version + Style.RESET_ALL)) print(' \u251c Identified Version: '.ljust(28) + '{}'.format(Style.BRIGHT + Fore.GREEN + version + Style.RESET_ALL))
print(' \u251c Version File: '.ljust(28) + '{}{}'.format(self.get_path(), version_path)) print(' \u251c Version File: '.ljust(28) + '{}{}'.format(self.get_path(), version_path))
if len(version) == 3: if len(version) == 3:
print(' \u251c Could not identify exact version.') print(' \u251c Could not identify exact version.')
react = input(' \u251c Do you want to print all vulnerabilities for branch {}? (y/n): '.format(version)) react = input(' \u251c Do you want to print all vulnerabilities for branch {}? (y/n): '.format(version))
if react.startswith('y'): if react.startswith('y'):
version = version + '.0' version = version + '.0'
else: else:
@@ -216,14 +216,14 @@ class Domain:
json_list[vulnerability[0]] = {'Type': vulnerability[1], 'Subcomponent': vulnerability[2], 'Affected': '{} - {}'.format(vulnerability[3], vulnerability[4]), 'Advisory': 'https://typo3.org/security/advisory/{}'.format(vulnerability[0].lower())} json_list[vulnerability[0]] = {'Type': vulnerability[1], 'Subcomponent': vulnerability[2], 'Affected': '{} - {}'.format(vulnerability[3], vulnerability[4]), 'Advisory': 'https://typo3.org/security/advisory/{}'.format(vulnerability[0].lower())}
if json_list: if json_list:
self.set_typo3_vulns(json_list) self.set_typo3_vulns(json_list)
print(' \u2514 Known Vulnerabilities:\n') print(' \u2514 Known Vulnerabilities:\n')
for vulnerability in json_list.keys(): for vulnerability in json_list.keys():
print(Style.BRIGHT + ' [!] {}'.format(Fore.RED + vulnerability + Style.RESET_ALL)) print(Style.BRIGHT + ' [!] {}'.format(Fore.RED + vulnerability + Style.RESET_ALL))
print(' \u251c Vulnerability Type:'.ljust(28) + json_list[vulnerability]['Type']) print(' \u251c Vulnerability Type:'.ljust(28) + json_list[vulnerability]['Type'])
print(' \u251c Subcomponent:'.ljust(28) + json_list[vulnerability]['Subcomponent']) print(' \u251c Subcomponent:'.ljust(28) + json_list[vulnerability]['Subcomponent'])
print(' \u251c Affected Versions:'.ljust(28) + json_list[vulnerability]['Affected']) print(' \u251c Affected Versions:'.ljust(28) + json_list[vulnerability]['Affected'])
print(' \u2514 Advisory URL:'.ljust(28) + json_list[vulnerability]['Advisory'] + '\n') print(' \u2514 Advisory URL:'.ljust(28) + json_list[vulnerability]['Advisory'] + '\n')
else: else:
print(' \u2514 No Known Vulnerabilities') print(' \u2514 No Known Vulnerabilities')
else: else:
print(' \u2514', Fore.RED + 'No Version Information Found.' + Fore.RESET) print(' \u2514', Fore.RED + 'Could not be determined.' + Fore.RESET)

2
lib/extensions.py
View File

@@ -35,7 +35,6 @@ class Extensions:
""" """
This method loads the extensions from the database and searches for installed extensions. This method loads the extensions from the database and searches for installed extensions.
/typo3conf/ext/: Local installation path. This is where extensions usually get installed. /typo3conf/ext/: Local installation path. This is where extensions usually get installed.
/typo3/ext/: Global installation path (not used atm)
/typo3/sysext/: Extensions shipped with core /typo3/sysext/: Extensions shipped with core
""" """
found_extensions = {} found_extensions = {}
@@ -43,7 +42,6 @@ class Extensions:
for ext in extensions: for ext in extensions:
thread_pool.add_job((request.head_request, ('{}/typo3conf/ext/{}/'.format(domain, ext)))) thread_pool.add_job((request.head_request, ('{}/typo3conf/ext/{}/'.format(domain, ext))))
thread_pool.add_job((request.head_request, ('{}/typo3/sysext/{}/'.format(domain, ext)))) thread_pool.add_job((request.head_request, ('{}/typo3/sysext/{}/'.format(domain, ext))))
#thread_pool.add_job((request.head_request, ('{}/typo3/ext/{}/'.format(domain, ext))))
thread_pool.start(threads) thread_pool.start(threads)
for installed_extension in thread_pool.get_result(): for installed_extension in thread_pool.get_result():

BIN
lib/typo3scan.db
View File

Binary file not shown.

4
typo3scan.py
View File

@@ -75,8 +75,8 @@ class Typo3:
print(Fore.RED + '\n[x] It seems that Typo3 is not used on this domain\n' + Fore.RESET) print(Fore.RED + '\n[x] It seems that Typo3 is not used on this domain\n' + Fore.RESET)
else: else:
# check for typo3 information # check for typo3 information
print('\n[+] Typo3 Installation') print('\n [+] Core Information')
print('----------------------') print(' --------------------')
check.search_login() check.search_login()
check.search_typo3_version() check.search_typo3_version()