Arbitrary commands can be injected when installing DokuWiki.
Authenticated as “User” role users can inject commands. Injected commands are running as “admin” user.
Attackers can inject commands with $options['wiki_name']
and other $options['XXX']
variables.
[1] login to panel with user account.
[2] Open WEB tab. https://XX.XX.XX.XX:8083/list/web/
[3] Click “Add Web Domain”
[4] Enter random domain to domain field and save.
[5] In the “Edit Web Domain” page click “Quick Install App”
[6] Click “Setup” button in DokuWiki
[7] All fields are vulnerable, enter payload to “Wiki Name” field and fill other fields then click install button.
// payload
aa'; echo "injected" > /tmp/test; id >> /tmp/test ; echo '1
[9] Wait 10 sec
/tmp/test
injected
uid=1001(admin) gid=1001(admin) groups=1001(admin)
https://drive.google.com/file/d/1wNuGVhsnhmhvUcUa8-LKekuL3DbO4smA/view?usp=sharing