whoot / typo3scan Goto Github PK
View Code? Open in Web Editor NEWEnumerate Typo3 version and extensions
License: GNU General Public License v2.0
Enumerate Typo3 version and extensions
License: GNU General Public License v2.0
Hey guys,
first, nice tool you wrote. With your current version I'm getting issued running it on my latest kali machine.
I can't get it running well. Can you please check this case?
Thanks in advance and best regards
scape
sudo git clone https://github.com/whoot/Typo3Scan.git /opt/Typo-Enumerator/
sudo pip install -r requirements.txt
pentest@kali:/opt/Typo-Enumerator$ python typo3scan.py -h
Traceback (most recent call last):
File "typo3scan.py", line 32, in
from lib.extensions import Extensions
File "/opt/Typo-Enumerator/lib/extensions.py", line 24, in
from lib.thread_pool import ThreadPool
File "/opt/Typo-Enumerator/lib/thread_pool.py", line 22, in
from queue import Queue
ImportError: No module named queue
pentest@kali:/opt/Typo-Enumerator$ python3 typo3scan.py -h
Traceback (most recent call last):
File "typo3scan.py", line 32, in
from lib.extensions import Extensions
File "/opt/Typo-Enumerator/lib/extensions.py", line 24, in
from lib.thread_pool import ThreadPool
File "/opt/Typo-Enumerator/lib/thread_pool.py", line 23, in
from progressbar import Bar, AdaptiveETA, Percentage, ProgressBar
ModuleNotFoundError: No module named 'progressbar'
pip install --upgrade --force-reinstall progressbar
pip install --upgrade --force-reinstall progressbar2
edit, I even checked it in with the new directory name:
/opt/Typo3Scan$
With the same error occuring, and you are missing "wheel" in your requirements file.
I haven't confirmed it, but I think currently there are false-negatives due to the version detection.
If there are multiple version ranges vulnerable (e.g. `Vulnerable Versions: 6.0-6.1 and 7.0-7.1), it will just overwrite the max and min version until it went through the array (Loop starting at line 134)
After everything is overwritten it will then append the vulnerability in Line 157. (with the most recent processed vuln range)
Lines 130 to 157 in 0aee5da
Thanks for writing and sharing this!
Describe the bug
There seems to be a bug in how the URLs for advisories are constructed. The code seems to be using the current year in places where it shouldn't leading to some URLs being wrong. Correcting the year in the advisory name will get you to the correct advisory.
To Reproduce
Take the following listing
[+] Version Information
├ Identified Version: 11.5
├ Could not identify exact version.
├ Do you want to print all vulnerabilities for branch 11.5? (y/n): y
└ Known Vulnerabilities:
[!] TYPO3-CORE-SA-2023-005
├ Vulnerability Type: Broken Access Control
├ Subcomponent: Admin Tool (ext:install)
├ Affected Versions: 11.5.10 - 11.0.0
├ Severity: Medium
└ Advisory URL: https://typo3.org/security/advisory/typo3-core-sa-2023-005
[!] TYPO3-CORE-SA-2023-004
├ Vulnerability Type: Cross-Site Scripting
├ Subcomponent: Frontend Login Mailer (ext:felogin)
├ Affected Versions: 11.5.10 - 11.0.0
├ Severity: Medium
└ Advisory URL: https://typo3.org/security/advisory/typo3-core-sa-2023-004
Try navigating to the advisory for the XSS in Frontend Login Mailer.
Get a 404 error.
Expected behavior
There seems to be an issue in the construction of the URL. When you substitute 2023 with 2022 you actually get the advisory.
Screenshots
If applicable, add screenshots to help explain your problem.
Additional context
Ranning latest version from GH (last commit May 14th)
Checking with latest Typo3Scan: it does not show the Typo3 version of several tested sites, whereas other web-based services manage to figure out (e.g. https://www.t3versions.com/ , tested on our dbjr.de). Are we doing something wrong with Typo3Scan if we don't see the Typo3 version numbers?
Is your feature request related to a problem? Please describe.
Typo3Scan only makes the latest version of the software available. As a Typo3Scan user i would like to know and decide which version of Typo3Scan to run in my infrastructure, and when to update.
Describe the solution you'd like
It would be nice to have github releases that keep track when a new version of Typo3Scan comes out. (Example)
Describe alternatives you've considered
Tagging the branch of each release is also an alternative. As it would allow the user to choose which version to check out. (Example)
Hi bro,
many tools use this option when i can set path for where save file !
like that : --o ( output ) path to save !
Whenever I try to run typo3scan.py -u
, i get an error:
[+] Searching for new CORE vulnerabilities...
Traceback (most recent call last):
File "typo3scan.py", line 209, in <module>
Update()
File "lib/update.py", line 41, in __init__
self.load_core_vulns()
File "lib/update.py", line 62, in load_core_vulns
last_page = int(pages[-1])
IndexError: list index out of range
It doesn't matter if I reset the database before with typo3scan.py -r
or not. The scanning itself works fine.
I have tried running it with different Python versions but get the same error on both 3.6 and 3.9. I haven't had time yet to take a look at the source code and identify the root cause. If I find out more, I'm going to post it here.
can you give me a example for the backend user login?
my password has ":;,-" and so on....
I have an issue with some sites, that makes scanning impossible:
kali@kali:~/bin/Typo3Scan$ ./typo3scan.py -d https://www.example.com/
=========================================================================
________ ________ _________
\_ _/__ __ ______ _____\_____ \ / _____/ ____ _____ ___
| | | | |\____ \| _ | _(__ < \_____ \_/ ___\\__ \ / \
| | |___ || |_) | (_) |/ \/ \ \___ / __ \| | \
|__| / ____|| __/|_____|________/_________/\_____|_____/|__|__/
\/ |__|
Automatic Typo3 enumeration tool
Version 0.6
https://github.com/whoot
=========================================================================
[ Checking https://www.example.com/ ]
-------------------------------------------------------------------------
HTTPSConnectionPool(host='www.example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_ske_dhe', 'dh key too small')])")))
Traceback (most recent call last):
File "./typo3scan.py", line 187, in <module>
main.run()
File "./typo3scan.py", line 67, in run
check.check_root()
File "/home/kali/bin/Typo3Scan/lib/domain.py", line 80, in check_root
if re.search('powered by TYPO3', response['html']):
TypeError: 'NoneType' object is not subscriptable
(Output modified for privacy reasons)
It seems to be related to python and openssl, but I was not able to find a solution so far.
My system:
root@kali:~# uname -a
Linux kali 5.4.0-kali4-amd64 #1 SMP Debian 5.4.19-1kali1 (2020-02-17) x86_64 GNU/Linux
root@kali:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
root@kali:~# openssl
OpenSSL> version
OpenSSL 1.1.1d 10 Sep 2019
root@kali:~# pip list | grep -i openssl
pyOpenSSL 19.1.0
Any ideas on how to get around this?
Finding wrong extension version, even tho file with right version exists
I am trying to scan for TYPO3 and extension versions.
The issue is, that for a few extensions the scanner seems to be going in the wrong direction.
The scanner uses the path
[url]/Documentation/ChangeLog
to find a version of the extension. From there it uses the "Last Modified" date as version.
This is only sometimes (for some extensions) the case.
Furthermore, there are files for the extensions with the correct version in
[url]/Documentation/Settings.cfg
from my understanding they also get searched but the scanner dismisses the result of them. (Maybe I am wrong here, but in the "extensions.py" file it looks like it)
If I remove the line where the scanner opens [url]/Documentation/ChangeLog
it still does not use the [url]/Documentation/Settings.cfg
path. In this case the scanner uses [url]/CHANGELOG.md
. In this path there is no version information in my case but the scanner uses the first number that it can find. ( an issue with the Changelog.md, not the scanner)
My question is, if there is any way to change the priority of the scanned paths. I do not understand why the [url]/Documentation/ChangeLog
path is used and not the [url]/Documentation/Settings.cfg
Extensions I have had this problem with\
Thank you for your help and your tool!
Hi,
it would be great to have an option for json logging. This is helpful for integrating your tool into automation workflows.
Maybe something like WhatWeb is doing:
https://github.com/urbanadventurer/WhatWeb
--log-json=FILE Log JSON format.
Thanks for your consideration.
TODO: Parameter or something to show known vulnerabilties for Core and Extensions
Describe the bug
I begun troubleshooting, but the "typo3" CMS is something that's new to me. I found your project when need arose to scan a website that has typo3. In my case, the homepage is an error message, not a typical homepage. Details below but withholding the site URL for certain reasons. Let me know what I can do to help troubleshoot best place this scenario can be accounted for, running a test on my target site or giving you the site privately.
To Reproduce
Steps to reproduce the behavior:
footer text of the page:
TYPO3 is an open source content management system. To maintain the quality of the system and to improve it, please help us by donating.
TYPO3 CMS. Copyright © 1998-2011 Kasper Skårhøj. Extensions are copyright of their respective owners. Go to http://typo3.com/ for details.
TYPO3 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. Obstructing the appearance of this notice is prohibited by law.
Describe the bug
typo3scan reported a vulnerability for the gridelements extension.
[+] gridelements
├ Extension Title: Grid Elements
├ Extension Repo: https://extensions.typo3.org/extension/gridelements
├ Extension Url: https://www.example.com/typo3conf/ext/gridelements
├ Current Version: 10.4.3 (stable)
├ Identified Version: 7.0.5
├ Version File: https://www.example.com/typo3conf/ext/gridelements/ChangeLog
└ Known Vulnerabilities:
[!] TYPO3-EXT-SA-2022-009
├ Vulnerability Type: Cross-Site Scripting
├ Affected Versions: 7.6.1 - 0.0.0
└ Advisory Url: https://typo3.org/security/advisory/typo3-ext-sa-2022-009
This is a false positive. The problem is, the version is inferred from the changelog file, but this hasn't been kept up to date for a while. That means the identified version and hence the detected vulnerability is incorrect.
See extension's repository at https://gitlab.com/coderscare/gridelements where the ChangeLog
file has been modified three years ago. Instead, it just begins with the line "See https://gitlab.com/coderscare/gridelements/commits/9-0 for a list of commits".
This is of course not helpful and I think it would be best if they don't keep the changelog file if it isn't used properly. But it is how it is.
On the other side, I understand that this can be a nightmare to parse for typo3scan. Just wanted to let you know about the false positive. Maybe you have a good idea about how to cope with this.
Hi,
it would be great to have an option to customise the User-Agent of the requests.
Thanks for your consideration.
HTTPSConnectionPool(host='www.emp.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa9b1fecbe0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
Traceback (most recent call last):
File "typo3scan.py", line 199, in
main.run()
File "typo3scan.py", line 70, in run
check.check_root()
File "/root/Typo3Scan/lib/domain.py", line 96, in check_root
if re.search('powered by TYPO3', response['html']):
TypeError: 'NoneType' object is not subscriptable
Describe the bug\
Invoking ./typo3scan.py -d http://url/ --auth user:pass
has no effect and the basic authentication credentials will not be used.
This is because
Line 38 in 7fb4fa0
To Reproduce
Steps to reproduce the behavior:
./typo3scan.py -d http://url/ --auth user:pass
[x] It seems that Typo3 is not used on this domain
Expected behavior
Command line option should be taken into consideration.
As a workaround I wrote the credentials into the config.json
file.
Hey!
Good work with the Tool. It would be nice if you can add a paramater to give the tool cookies. This could handle pre-authentication while pentesting.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.