Metasploit Penetration Testing Framework

Typo3 sa-2009-002 File Disclosure

This module exploits a file disclosure vulnerability in the jumpUrl mechanism of Typo3. This flaw can be used to read any file that the web server user account has access to.

Rank

Normal

Authors

spinbad < spinbad.security [at] googlemail.com >

References

Development

Similar Modules

Usage Information

$ msfconsole

                ##                          ###           ##    ##
##  ##  #### ###### ####  #####   #####    ##    ####        ######
####### ##  ##  ##  ##         ## ##  ##    ##   ##  ##   ###   ##
####### ######  ##  #####   ####  ##  ##    ##   ##  ##   ##    ##
## # ##     ##  ##  ##  ## ##      #####    ##   ##  ##   ##    ##
##   ##  #### ###   #####   #####     ##   ####   ####   #### ###
                                      ##

msf > use auxiliary/admin/http/typo3_sa_2009_002
msf auxiliary(typo3_sa_2009_002) > set RHOST [TARGET IP]
msf auxiliary(typo3_sa_2009_002) > run

Module Options

LFILE	The local filename to store the data (default: localconf.php)
Proxies	Use a proxy chain
RFILE	The remote file to download (default: typo3conf/localconf.php)
RHOST	The target address
RPORT	The target port (default: 80)
URI	Typo3 Path (default: /)
VHOST	HTTP server virtual host
BasicAuthPass	The HTTP password to specify for basic authentication
BasicAuthUser	The HTTP username to specify for basic authentication
FingerprintCheck	Conduct a pre-exploit fingerprint verification
SSL	Negotiate SSL for outgoing connections
SSLVersion	Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
UserAgent	The User-Agent header to use for all requests
WORKSPACE	Specify the workspace for this module
HTTP::header_folding	Enable folding of HTTP headers
HTTP::method_random_case	Use random casing for the HTTP method
HTTP::method_random_invalid	Use a random invalid, HTTP method for request
HTTP::method_random_valid	Use a random, but valid, HTTP method for request
HTTP::pad_fake_headers	Insert random, fake headers into the HTTP request
HTTP::pad_fake_headers_count	How many fake headers to insert into the HTTP request
HTTP::pad_get_params	Insert random, fake query string variables into the request
HTTP::pad_get_params_count	How many fake query string variables to insert into the request
HTTP::pad_method_uri_count	How many whitespace characters to use between the method and uri
HTTP::pad_method_uri_type	What type of whitespace to use between the method and uri (accepted: space, tab, apache)
HTTP::pad_post_params	Insert random, fake post variables into the request
HTTP::pad_post_params_count	How many fake post variables to insert into the request
HTTP::pad_uri_version_count	How many whitespace characters to use between the uri and version
HTTP::pad_uri_version_type	What type of whitespace to use between the uri and version (accepted: space, tab, apache)
HTTP::uri_dir_fake_relative	Insert fake relative directories into the uri
HTTP::uri_dir_self_reference	Insert self-referential directories into the uri
HTTP::uri_encode_mode	Enable URI encoding (accepted: none, hex-normal, hex-all, hex-random, u-normal, u-all, u-random)
HTTP::uri_fake_end	Add a fake end of URI (eg: /%20HTTP/1.0/../../)
HTTP::uri_fake_params_start	Add a fake start of params to the URI (eg: /%3fa=b/../)
HTTP::uri_full_url	Use the full URL for all HTTP requests
HTTP::uri_use_backslashes	Use back slashes instead of forward slashes in the uri

OSVDB:	CVE:
BID:	MSB:
TEXT: