Vulhub vulnerability recurrence 69_ Tiki Wiki

CVE-2020-15906_Tiki Wiki CMS Groupware Authentication bypass vulnerability

Vulnerability Details

Tiki Wiki CMS Groupware Or for short Tiki（ Originally known as TikiWiki） Is a free and open source based on Wiki Content management system and online office suite . In the following versions 21.2, 20.4, 19.3, 18.7, 17.3, 16.4 There is a logical error before , The administrator account was exploded 60 It will be locked more than times , At this time, you can log in to the background as an administrator by using a blank password .

Reference link ：

- https://info.tiki.org/article473-Security-Releases-of-all-Tiki-versions-since-16-3

- https://github.com/S1lkys/CVE-2020-15906

-http://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html

- https://srcincite.io/pocs/cve-2021-26119.py.txt

Vulnerability environment

shooting range ：192.168.4.10_ubuntu

Execute the following command to start a Tiki Wiki CMS 21.1：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080` You can see its welcome page .

Loophole recurrence

We can use <https://srcincite.io/pocs/cve-2021-26119.py.txt> Medium [POC](poc.py) To reproduce . The POC First use CVE-2020-15906 Bypass Authentication , Get administrator privileges ; Reuse Smarty Sandbox bypass vulnerability of （CVE-2021-26119） Execute arbitrary commands in the background ：

#Python3 poc.py your-ip:8080 / id

Be careful , Affected by the principle of vulnerability , Execute this POC It will cause the administrator account to be locked .