whoot / typo3scan Goto Github PK

Hey guys,

first, nice tool you wrote. With your current version I'm getting issued running it on my latest kali machine.
I can't get it running well. Can you please check this case?

Thanks in advance and best regards
scape

sudo git clone https://github.com/whoot/Typo3Scan.git /opt/Typo-Enumerator/
sudo pip install -r requirements.txt

pentest@kali:/opt/Typo-Enumerator$ python typo3scan.py -h
Traceback (most recent call last):
File "typo3scan.py", line 32, in
from lib.extensions import Extensions
File "/opt/Typo-Enumerator/lib/extensions.py", line 24, in
from lib.thread_pool import ThreadPool
File "/opt/Typo-Enumerator/lib/thread_pool.py", line 22, in
from queue import Queue
ImportError: No module named queue
pentest@kali:/opt/Typo-Enumerator$ python3 typo3scan.py -h
Traceback (most recent call last):
File "typo3scan.py", line 32, in
from lib.extensions import Extensions
File "/opt/Typo-Enumerator/lib/extensions.py", line 24, in
from lib.thread_pool import ThreadPool
File "/opt/Typo-Enumerator/lib/thread_pool.py", line 23, in
from progressbar import Bar, AdaptiveETA, Percentage, ProgressBar
ModuleNotFoundError: No module named 'progressbar'

pip install --upgrade --force-reinstall progressbar
pip install --upgrade --force-reinstall progressbar2

edit, I even checked it in with the new directory name:
/opt/Typo3Scan$
With the same error occuring, and you are missing "wheel" in your requirements file.

I haven't confirmed it, but I think currently there are false-negatives due to the version detection.

If there are multiple version ranges vulnerable (e.g. `Vulnerable Versions: 6.0-6.1 and 7.0-7.1), it will just overwrite the max and min version until it went through the array (Loop starting at line 134)

After everything is overwritten it will then append the vulnerability in Line 157. (with the most recent processed vuln range)

Thanks for writing and sharing this!

Describe the bug
There seems to be a bug in how the URLs for advisories are constructed. The code seems to be using the current year in places where it shouldn't leading to some URLs being wrong. Correcting the year in the advisory name will get you to the correct advisory.

To Reproduce
Take the following listing

 [+] Version Information
  ├ Identified Version:     11.5
  ├ Could not identify exact version.
  ├ Do you want to print all vulnerabilities for branch 11.5? (y/n): y
  └ Known Vulnerabilities:

     [!] TYPO3-CORE-SA-2023-005
      ├ Vulnerability Type: Broken Access Control
      ├ Subcomponent:       Admin Tool (ext:install)
      ├ Affected Versions:  11.5.10 - 11.0.0
      ├ Severity:           Medium
      └ Advisory URL:       https://typo3.org/security/advisory/typo3-core-sa-2023-005

     [!] TYPO3-CORE-SA-2023-004
      ├ Vulnerability Type: Cross-Site Scripting
      ├ Subcomponent:       Frontend Login Mailer (ext:felogin)
      ├ Affected Versions:  11.5.10 - 11.0.0
      ├ Severity:           Medium
      └ Advisory URL:       https://typo3.org/security/advisory/typo3-core-sa-2023-004

Try navigating to the advisory for the XSS in Frontend Login Mailer.
Get a 404 error.

Expected behavior
There seems to be an issue in the construction of the URL. When you substitute 2023 with 2022 you actually get the advisory.

Screenshots
If applicable, add screenshots to help explain your problem.

Additional context
Ranning latest version from GH (last commit May 14th)

Checking with latest Typo3Scan: it does not show the Typo3 version of several tested sites, whereas other web-based services manage to figure out (e.g. https://www.t3versions.com/ , tested on our dbjr.de). Are we doing something wrong with Typo3Scan if we don't see the Typo3 version numbers?

Is your feature request related to a problem? Please describe.
Typo3Scan only makes the latest version of the software available. As a Typo3Scan user i would like to know and decide which version of Typo3Scan to run in my infrastructure, and when to update.

Describe the solution you'd like
It would be nice to have github releases that keep track when a new version of Typo3Scan comes out. (Example)

Describe alternatives you've considered
Tagging the branch of each release is also an alternative. As it would allow the user to choose which version to check out. (Example)

Hi bro,
many tools use this option when i can set path for where save file !
like that : --o ( output ) path to save !

Whenever I try to run typo3scan.py -u, i get an error:

[+] Searching for new CORE vulnerabilities...
Traceback (most recent call last):
  File "typo3scan.py", line 209, in <module>
    Update()
  File "lib/update.py", line 41, in __init__
    self.load_core_vulns()
  File "lib/update.py", line 62, in load_core_vulns
    last_page = int(pages[-1])
IndexError: list index out of range

It doesn't matter if I reset the database before with typo3scan.py -r or not. The scanning itself works fine.

I have tried running it with different Python versions but get the same error on both 3.6 and 3.9. I haven't had time yet to take a look at the source code and identify the root cause. If I find out more, I'm going to post it here.

can you give me a example for the backend user login?

my password has ":;,-" and so on....

I have an issue with some sites, that makes scanning impossible:

kali@kali:~/bin/Typo3Scan$ ./typo3scan.py -d https://www.example.com/

=========================================================================

   ________                   ________   _________                                                                                                                                                                                       
   \_    _/__ __ ______  _____\_____  \ /   _____/ ____ _____    ___                                                                                                                                                                     
     |  | |  |  |\____ \|  _  | _(__  < \_____  \_/ ___\\__  \  /   \                                                                                                                                                                    
     |  | |___  ||  |_) | (_) |/       \/        \  \___ / __ \|  |  \                                                                                                                                                                   
     |__| / ____||   __/|_____|________/_________/\_____|_____/|__|__/                                                                                                                                                                   
          \/     |__|                                                                                                                                                                                                                    
                                                                                                                                                                                                                                         
                     Automatic Typo3 enumeration tool                    
                               Version 0.6                               
                         https://github.com/whoot                        
=========================================================================

                                                                                                                                                                                                                                         
[ Checking https://www.example.com/ ]                                                                                                                                                                                                 
-------------------------------------------------------------------------                                                                                                                                                                
HTTPSConnectionPool(host='www.example.com', port=443): Max retries exceeded with url: / (Caused by SSLError(SSLError("bad handshake: Error([('SSL routines', 'tls_process_ske_dhe', 'dh key too small')])")))
Traceback (most recent call last):
  File "./typo3scan.py", line 187, in <module>
    main.run()
  File "./typo3scan.py", line 67, in run
    check.check_root()
  File "/home/kali/bin/Typo3Scan/lib/domain.py", line 80, in check_root
    if re.search('powered by TYPO3', response['html']):
TypeError: 'NoneType' object is not subscriptable

(Output modified for privacy reasons)

It seems to be related to python and openssl, but I was not able to find a solution so far.

My system:

root@kali:~# uname -a
Linux kali 5.4.0-kali4-amd64 #1 SMP Debian 5.4.19-1kali1 (2020-02-17) x86_64 GNU/Linux

root@kali:~# apt dist-upgrade
Reading package lists... Done
Building dependency tree       
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

root@kali:~# openssl
OpenSSL> version
OpenSSL 1.1.1d  10 Sep 2019

root@kali:~# pip list | grep -i openssl
pyOpenSSL                    19.1.0 

Any ideas on how to get around this?

Finding wrong extension version, even tho file with right version exists
I am trying to scan for TYPO3 and extension versions.
The issue is, that for a few extensions the scanner seems to be going in the wrong direction.

The scanner uses the path
[url]/Documentation/ChangeLog
to find a version of the extension. From there it uses the "Last Modified" date as version.
This is only sometimes (for some extensions) the case.

Furthermore, there are files for the extensions with the correct version in
[url]/Documentation/Settings.cfg
from my understanding they also get searched but the scanner dismisses the result of them. (Maybe I am wrong here, but in the "extensions.py" file it looks like it)

If I remove the line where the scanner opens [url]/Documentation/ChangeLog it still does not use the [url]/Documentation/Settings.cfg path. In this case the scanner uses [url]/CHANGELOG.md. In this path there is no version information in my case but the scanner uses the first number that it can find. ( an issue with the Changelog.md, not the scanner)

My question is, if there is any way to change the priority of the scanned paths. I do not understand why the [url]/Documentation/ChangeLog path is used and not the [url]/Documentation/Settings.cfg

Extensions I have had this problem with\

• Mask
• MetaSEO
• [Clickstorm]SEO

Thank you for your help and your tool!

Hi,

it would be great to have an option for json logging. This is helpful for integrating your tool into automation workflows.

Maybe something like WhatWeb is doing:
https://github.com/urbanadventurer/WhatWeb

--log-json=FILE         Log JSON format.

Thanks for your consideration.

TODO: Parameter or something to show known vulnerabilties for Core and Extensions

Describe the bug
I begun troubleshooting, but the "typo3" CMS is something that's new to me. I found your project when need arose to scan a website that has typo3. In my case, the homepage is an error message, not a typical homepage. Details below but withholding the site URL for certain reasons. Let me know what I can do to help troubleshoot best place this scenario can be accounted for, running a test on my target site or giving you the site privately.

To Reproduce
Steps to reproduce the behavior:

1. The script responds by saying the error output from line 77 in file 'typo3scan.py' of "It seems that Typo3 is not used on this domain"
2. Tracing this back through the code, it looks like the "check_root" function looks for specific typo3 keywords on line 100 of file 'domain.py' in the re.search() method, but since my target site is responding with a 503 error response, it fails this check?
3. The footer of the page still contains the text that is searched for in the "check_404" method, just not what's in the "check_root" method.

footer text of the page:

TYPO3 is an open source content management system. To maintain the quality of the system and to improve it, please help us by donating.
		TYPO3 CMS. Copyright © 1998-2011 Kasper Skårhøj. Extensions are copyright of their respective owners. Go to http://typo3.com/ for details.
		TYPO3 comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to redistribute it under certain conditions. Obstructing the appearance of this notice is prohibited by law.

Describe the bug

typo3scan reported a vulnerability for the gridelements extension.

  [+] gridelements
   ├ Extension Title:       Grid Elements
   ├ Extension Repo:        https://extensions.typo3.org/extension/gridelements
   ├ Extension Url:         https://www.example.com/typo3conf/ext/gridelements
   ├ Current Version:       10.4.3 (stable)
   ├ Identified Version:    7.0.5
   ├ Version File:          https://www.example.com/typo3conf/ext/gridelements/ChangeLog
   └ Known Vulnerabilities:

     [!] TYPO3-EXT-SA-2022-009
      ├ Vulnerability Type: Cross-Site Scripting
      ├ Affected Versions:  7.6.1 - 0.0.0
      └ Advisory Url:       https://typo3.org/security/advisory/typo3-ext-sa-2022-009

This is a false positive. The problem is, the version is inferred from the changelog file, but this hasn't been kept up to date for a while. That means the identified version and hence the detected vulnerability is incorrect.

See extension's repository at https://gitlab.com/coderscare/gridelements where the ChangeLog file has been modified three years ago. Instead, it just begins with the line "See https://gitlab.com/coderscare/gridelements/commits/9-0 for a list of commits".

This is of course not helpful and I think it would be best if they don't keep the changelog file if it isn't used properly. But it is how it is.

On the other side, I understand that this can be a nightmare to parse for typo3scan. Just wanted to let you know about the false positive. Maybe you have a good idea about how to cope with this.

Hi,

it would be great to have an option to customise the User-Agent of the requests.

Thanks for your consideration.

HTTPSConnectionPool(host='www.emp.com', port=443): Max retries exceeded with url: / (Caused by NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7fa9b1fecbe0>: Failed to establish a new connection: [Errno -2] Name or service not known'))
Traceback (most recent call last):
File "typo3scan.py", line 199, in
main.run()
File "typo3scan.py", line 70, in run
check.check_root()
File "/root/Typo3Scan/lib/domain.py", line 96, in check_root
if re.search('powered by TYPO3', response['html']):
TypeError: 'NoneType' object is not subscriptable

Describe the bug\

Invoking ./typo3scan.py -d http://url/ --auth user:pass has no effect and the basic authentication credentials will not be used.

This is because

To Reproduce
Steps to reproduce the behavior:

1. Set up a Typo 3 with basic auth in front of it
2. Scan with ./typo3scan.py -d http://url/ --auth user:pass
3. Observe the message [x] It seems that Typo3 is not used on this domain

Expected behavior
Command line option should be taken into consideration.

As a workaround I wrote the credentials into the config.json file.

Hey!
Good work with the Tool. It would be nice if you can add a paramater to give the tool cookies. This could handle pre-authentication while pentesting.