Tiki wiki CMS Groupware 17.1 Multiple Vulnerabilities
This post is about vulnerabilities which I found in Tiki wiki CMS 17.1 and POC's are created under Windows 10 platform and firefox browser v57.0.2.
Link to Download :https://tiki.org/Download
# Exploit Title : Tiki wiki CMS v17.1
# Exploit Author : Pranav Jagtap
# Tested On : Windows 10 64 Bit
# LinkedIn : iampranavjagtap
# Twitter : @pranavH4x0r
Vulnerability Title : XSS through SVG File Upload
Authentication : Required
Description:
CMS allows upload of .PNG file which is actually having SVG content without checking.
Step 1: Create the .txt file using below SVG content
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>
Step 2: Now save this file with .png extension as CMS disallows the .svg file from upload.
Step 1: Create the .txt file using below SVG content
<?xml version="1.0" standalone="no"?><!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"><svg onload="alert(1)" xmlns="http://www.w3.org/2000/svg"><defs><font id="x"><font-face font-family="y"/></font></defs></svg>
Step 2: Now save this file with .png extension as CMS disallows the .svg file from upload.
POC VIDEO
==============================================================
Authentication : Required
Description:
I have entered payload =cmd|' /C calc'!A0 .
Please check out the video for more info.
==============================================================
Authentication : Required
Description:
==============================================================
Vulnerability Title : CSV Injection
Authentication : Required
Description:
The CMS does not validate the user input for special
characters, hence it lead an attacker to open a CMD or Calculator on the victim
machine to perform malicious activity.
I have entered payload =cmd|' /C calc'!A0 .
Please check out the video for more info.
POC VIDEO
==============================================================
Vulnerability Title : HTML Injection
Authentication : Required
Description:
HTML injection is an attack that is similar to Cross-site
Scripting (XSS). While in the XSS vulnerability the attacker can inject and
execute JavaScript code, the HTML injection attack only allows the injection of
certain HTML tags. When an application does not properly handle user supplied
data, an attacker can supply valid HTML code, typically via a parameter value,
and inject their own content into the page. This attack is typically used in
conjunction with some form of social engineering, as the attack is exploiting a
code-based vulnerability and a user's trust.
A possible attack scenario is demonstrated below:
- Attacker discovers injection vulnerability and decides to use an
HTML injection attack
- Attacker crafts malicious link, including his injected HTML
content, and sends it to a user via email
- The user visits the page due to the page being located within a
trusted domain
- The attacker's injected HTML is rendered and presented to the user
asking for a username and password
- The user enters a username and password, which are both sent to the attackers server.
I have entered payload <h1>hacked</h1>
into the input field on Calendar and save it.
Please check out the video for more info.
POC VIDEO
No comments:
New comments are not allowed.