Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-15906 PoC — Tiki 安全漏洞

Source
https://github.com/S1lkys/CVE-2020-15906
Associated Vulnerability
Title:Tiki 安全漏洞 (CVE-2020-15906)
Description:tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts.
Description
Writeup of CVE-2020-15906
Readme
# CVE-2020-15906
Writeup of CVE-2020-15906.
Special Thanks to Frederic Mohr(Lastbreach) for your Backend Support.


## Tiki Wiki Cms Groupware 16.x - 21.1 Authentication Bypass by Maximilian Barz
I have found a new vulnerability in TikiWiki Cms Groupware  16.x - 21.1. It allows remote
unauthenticated attackers to bypass the login page which results in a full compromise of Tiki Wiki
CMS. An Attacker is able to bruteforce the Admin account until it is locked. After that an empty
Password can be used to authenticate as admin to get access.

## Affected file: tiki-login.php

## CVSS 3.1 Base Score: 9.3
![CVSS Score](https://github.com/S1lkys/CVE-2020-15906/blob/master/CVSS%203.1.png)

# Walkthrough/ PoC:
### Normal condition
Take a look at the database. This is what the admin looks like after Tiki was installed. (Note that
provpass is empty)
![Step1](https://github.com/S1lkys/CVE-2020-15906/blob/master/Step1.png)

### Step 1
Admin Login Brute Force results in about 15 "Invalid user or password" errors, then the message
should say "The mail cannot be sent" – maybe a verification problem because of to many requests
![Step2](https://github.com/S1lkys/CVE-2020-15906/blob/master/Step2.png)

### Step 2
Keep Brute Forcing, just to be sure. If the Mail cant be send a different error message appears.
Just before the 50th request, the messages change again, now the account is locked.
![Step3](https://github.com/S1lkys/CVE-2020-15906/blob/master/Step3.png)

### Step 3
If we now take a look inside the DB, we can see provpass got set.

![Step4](https://github.com/S1lkys/CVE-2020-15906/blob/master/Step4.png)


### Step 4
Now try another login attempt, but remove the password from the request.
![Burpsuite](https://github.com/S1lkys/CVE-2020-15906/blob/master/Burpsuite.png)
# Result: Admin Access is granted.
![Admin Access](https://github.com/S1lkys/CVE-2020-15906/blob/master/Admin%20Access.png)

A full walkthrough video can be viewed on youtube (Videos are not publicly available.):
https://www.youtube.com/watch?v=v2YEpMsxcbA

PoC Exploit video on youtube:
https://youtu.be/o3blz2US54Y

### Exploit-DB: 
https://www.exploit-db.com/exploits/48927

### Article on Portswigger.net
https://portswigger.net/daily-swig/amp/tikiwiki-authentication-bypass-flaw-gives-attackers-full-control-of-websites-intranets

### Credits:
Maximilian Barz (OSCP), 
Email: mbzra@protonmail.com, 
Twitter: S1lky_1337
File Snapshot

 [4.0K]  /data/pocs/5bde723ccd023342fb625235f6b7a916c2fd5dd0
├── [ 34K]  Admin Access.png
├── [ 98K]  Burpsuite.png
├── [ 11K]  CVSS 3.1.png
├── [2.4K]  README.md
├── [8.7K]  Step1.png
├── [ 14K]  Step2.png
├── [10.0K]  Step3.png
├── [8.5K]  Step4.png
├── [6.1K]  TikiWiki_21.1_Authentication_Bypass.py
└── [174K]  Tiki-Wiki Authentication Bypass.pdf

0 directories, 10 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →