![\"0\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/0.png\")
In 2020, a high-risk vulnerability was found in Tiki-Wiki CMS. The Tiki-Wiki before 21.2 is vulnerable to authentication bypass vulnerability by setting a blank password of the admin user after the 50 invalid login attempts.
\nThe CVE assigned to this vulnerability is CVE-2020-15906. The severity base score of this vulnerability is 9.8, which is considered critical.
\nRead More:
\nThis security research was performed by Maximilian Barz
", "tasks": "# Lab Environment\n\nIn this lab environment, the user is going to get access to a Kali GUI instance. A Tiki-Wiki CMS is vulnerable to authentication bypass vulnerability, identified by CVE-2020-15906, is running on the target server. It can be accessed using the tools installed on Kali at http://demo.ine.local\n\nYour task is to fingerprint the Tiki CMS using the tools available on the Kali machine. Then, exploit it using the appropriate method.\n\nThe setup is based on: [vulhub](https://github.com/vulhub/vulhub/tree/master/tikiwiki/CVE-2020-15906)\n\n**Objective:** Exploit the Tiki CMS using the burp and other tools to access the admin control panel.\n\n\n\n\n# Tools\n\nThe best tools for this lab are:\n\n- Nmap\n- Bash Shell\n- Metasploit Framework\n- Burp Suite\n- Python\n\n**Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!**", "tasks_html": "In this lab environment, the user is going to get access to a Kali GUI instance. A Tiki-Wiki CMS is vulnerable to authentication bypass vulnerability, identified by CVE-2020-15906, is running on the target server. It can be accessed using the tools installed on Kali at http://demo.ine.local
\nYour task is to fingerprint the Tiki CMS using the tools available on the Kali machine. Then, exploit it using the appropriate method.
\nThe setup is based on: vulhub
\nObjective: Exploit the Tiki CMS using the burp and other tools to access the admin control panel.
\n
The best tools for this lab are:
\nPlease go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course will dramatically reduce the benefits of a hands-on lab!
", "published_date": "2022-11-03T15:39:56.243239Z", "solutions": "**What is Tiki Wiki CMS?**\n\nTiki Wiki CMS Groupware is a free and open-source wiki-based content management system and Online office suite containing a number of collaboration features allowing it to operate as a Geospatial Content Management System.\n\nSource: https://en.wikipedia.org/wiki/Tiki_Wiki_CMS_Groupware\n\n**Vulnerable Version**\n\n- Tiki Wiki Cms Groupware 16.x - 21.1\n\n**Affected File**\n\n- tiki-login.php\n\n# Solution\n\n**Step 1:** Open the lab link to access the Kali machine.\n\n**Kali machine**\n\n\n\n**Step 2:** Check if we can access the provided machine.\n\n**Command**\n\n```\nping -c 4 demo.ine.local\n```\n\n\n\nThe provided machine is reachable.\n\n**Step 3:** Now, check all open ports on the machine.\n\n**Command**\n\n```\nnmap demo.ine.local\n```\n\n\nThree ports are open, i.e., 22, 80, and 3306.\n\n**Step 4:** Run the firefox browser and access the Tiki CMS on port 80.\n\n**URL: http://demo.ine.local**\n\n**Note: Wait for 1-2 minutes to Tiki-Wiki CMS to load**\n\n\n\nIn the default installation, there is a file in the tiki cms folder, i.e., changelog.txt; in this file, we can find the currently running version of Tiki CMS.\n\n**URL http://demo.ine.local/changelog.txt**\n\n\n\nWe can notice that the Tiki cms version is 21.1.\n\n**Step 5:** We can use the searchsploit tool to find the vulnerability and a PoC code to the Tiki version 21.1\n\n**Commands**\n\n```\nsearchsploit tiki | grep 21.1\n```\n\n\nTiki Wiki CMS Groupware 21.1 is vulnerable to authentication bypass vulnerability.\n\n**Step 6:** Now, let's start the burp suite and intercept the tiki-login.php request.\n\nAfter exploiting the CVE-2020-15906 vulnerability attacker can gain access to the whole Tiki Wiki CMS. We are using the burp suite to send 50 invalid requests, and the **admin** user, would be locked. Then, an attacker can use an empty password using burp suite to bypass the authentication.\n\nStarting burp suite\n\n\n\nOn the firefox browser, enable the proxy in the FoxyProxy plugin.\n\n\n\nNow, enter any random password with admin user and intercept the tiki-login.php page request. \n\n**URL: http://demo.ine.local/tiki-login.php**\n\n\n\nEnter **admin:admin** as creds\n\n\n\nLogin request captured\n\n\n\nLet's send the captured request to the intruder.\n\n\n\nSwitch view to **Position** and click on **clear**\n\n\n\nIn this case, we only want to change the **pass** value, so select that and click on **Add**\n\n\n\nNow, switch to payloads and load the sample password file.\n\n**Path: /root/Desktop/wordlists/100-common-passwords.txt**\n\n\n\n\n\nNow, we are all set to run the attack. Click on **Start attack** and wait till 50 requests.\n\n\n\n\n\nOnce we get the message on the login page **Account requires administrator approval.** this confirms that we have locked the admin user.\n\nNow, stop the attack and go to the **proxy**\n\n\n\nHere, we will remove the **pass** value, keep it empty, and forward all requests.\n\n\n\nWe are accessing the Tiki CMS using an empty password, allowing us to access the Tiki admin panel.\n\n**Note: Remember to turn off the proxy**\n\n\n\nAs we can notice, we have successfully logged in as an admin user on the Tiki CMS by exploiting the **CVE-2020-15906**.\n\nThere is also a python script that makes this job more manageable. But before you use this script, restart the lab because we have already locked the admin user account.\n\n**Python script:** https://github.com/S1lkys/CVE-2020-15906/blob/master/TikiWiki_21.1_Authentication_Bypass.py \n\n# References\n\n 1. [Tiki-Wiki CMS](https://tiki.org/HomePage)\n 2. [PoC](https://github.com/S1lkys/CVE-2020-15906/blob/master/Tiki-Wiki%20Authentication%20Bypass.pdf)\n 3. [CVE-2020-15906](https://nvd.nist.gov/vuln/detail/CVE-2020-15906)", "solutions_html": "What is Tiki Wiki CMS?
\nTiki Wiki CMS Groupware is a free and open-source wiki-based content management system and Online office suite containing a number of collaboration features allowing it to operate as a Geospatial Content Management System.
\nSource: https://en.wikipedia.org/wiki/Tiki_Wiki_CMS_Groupware
\nVulnerable Version
\nAffected File
\nStep 1: Open the lab link to access the Kali machine.
\nKali machine
\n![\"1\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/1.jpg\")
Step 2: Check if we can access the provided machine.
\nCommand
\nping -c 4 demo.ine.local![\"2\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/2.jpg\")
The provided machine is reachable.
\nStep 3: Now, check all open ports on the machine.
\nCommand
\nnmap demo.ine.local![\"3\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/3.jpg\")
\nThree ports are open, i.e., 22, 80, and 3306.
\nStep 4: Run the firefox browser and access the Tiki CMS on port 80.
\nURL: http://demo.ine.local
\nNote: Wait for 1-2 minutes to Tiki-Wiki CMS to load
\n![\"4\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/4.jpg\")
In the default installation, there is a file in the tiki cms folder, i.e., changelog.txt; in this file, we can find the currently running version of Tiki CMS.
\nURL http://demo.ine.local/changelog.txt
\n![\"4_1\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/4_1.jpg\")
We can notice that the Tiki cms version is 21.1.
\nStep 5: We can use the searchsploit tool to find the vulnerability and a PoC code to the Tiki version 21.1
\nCommands
\nsearchsploit tiki | grep 21.1![\"5\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/5.jpg\")
\nTiki Wiki CMS Groupware 21.1 is vulnerable to authentication bypass vulnerability.
\nStep 6: Now, let's start the burp suite and intercept the tiki-login.php request.
\nAfter exploiting the CVE-2020-15906 vulnerability attacker can gain access to the whole Tiki Wiki CMS. We are using the burp suite to send 50 invalid requests, and the admin user, would be locked. Then, an attacker can use an empty password using burp suite to bypass the authentication.
\nStarting burp suite
\n![\"6\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6.jpg\")
On the firefox browser, enable the proxy in the FoxyProxy plugin.
\n![\"6_1\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_1.jpg\")
Now, enter any random password with admin user and intercept the tiki-login.php page request.
\nURL: http://demo.ine.local/tiki-login.php
\n![\"6_2\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_2.jpg\")
Enter admin:admin as creds
\n![\"6_3\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_3.jpg\")
Login request captured
\n![\"6_4\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_4.jpg\")
Let's send the captured request to the intruder.
\n![\"6_5\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_5.jpg\")
Switch view to Position and click on clear
\n![\"6_6\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_6.jpg\")
In this case, we only want to change the pass value, so select that and click on Add
\n![\"6_7\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_7.jpg\")
Now, switch to payloads and load the sample password file.
\nPath: /root/Desktop/wordlists/100-common-passwords.txt
\n![\"6_8\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_8.jpg\")
![\"6_9\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_9.jpg\")
Now, we are all set to run the attack. Click on Start attack and wait till 50 requests.
\n![\"6_10\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_10.jpg\")
![\"6_11\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_11.jpg\")
Once we get the message on the login page Account requires administrator approval. this confirms that we have locked the admin user.
\nNow, stop the attack and go to the proxy
\n![\"6_12\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_12.jpg\")
Here, we will remove the pass value, keep it empty, and forward all requests.
\n![\"6_13\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_13.jpg\")
We are accessing the Tiki CMS using an empty password, allowing us to access the Tiki admin panel.
\nNote: Remember to turn off the proxy
\n![\"6_14\"](\"https://assets.ine.com/content/labs/vulnerability-labs/Tiki-Wiki_Auth_Bypass_CVE-2020-15906/6_14.jpg\")
As we can notice, we have successfully logged in as an admin user on the Tiki CMS by exploiting the CVE-2020-15906.
\nThere is also a python script that makes this job more manageable. But before you use this script, restart the lab because we have already locked the admin user account.
\nPython script: https://github.com/S1lkys/CVE-2020-15906/blob/master/TikiWiki_21.1_Authentication_Bypass.py
\n