I am a trumpet

0 x00 preface

---

Wiki, derived from the Hawaiian word wee kee wee kee, is a collaborative writing tool. The author has met them in the business lines of large Internet enterprises (such as Tencent, 360 and Xiaomi), and they are often used as an instruction manual to introduce business functions and internal project work collaboration platform. At present, common and highly used WiKi programs include Miediawiki, DoKuWiKi, HDWiki, etc., but due to the lack of attention paid to these programs, there are many design defects in the program that have not been exposed and fixed, and many of them are even enough to cause the server to be easily getshell. Make it become an Internet enterprise information security “invisible bomb”. This article will focus on common ideas for infiltrating third-party wikis, then include Expolit attacks on two widely used Wiki systems and examples of hazards, and finally suggest solutions.

0x01 Common Ideas

---

I. Preliminary preparation: Batch collection of infiltration targets of large enterprises

1) use baidu or Google search engine, keyword “site:XXXX.com inurl:wiki”, you can easily obtain many targets,

2) Use the subdomain blasting tool to collect corporate subdomains in bulk and isolate the wiki site

Two, attack: analyze the Wiki brand, collect the administrator list, burst into the background

Different brands of Wiki programs have slightly different ways of penetration. There are two Wiki programs commonly used by large Internet enterprises: Both Mediawiki and Dokuwiki can be used to quickly collect the user name of the administrator, and then enter the system through the login page with no limit on login times and verification codes by popping weak passwords.

If you see awiki with the following structure in the address bar, you’re probably right for Meidawiki. There are only three steps you can take to infiltrate Mediawiki:

Step1: Search for “user creation logs” using the search function that comes with MediaWiki by default. Expolit:http://www.xxx.com/index.php?title=%E7%89%B9%E6%AE%8A%3A%E6%97%A5%E5%BF%97&type=newusers&user=&page=&year=&mont h=-1

Step2: Use MediaWiki’s default search function to search for “permission change log” to help us quickly separate out the administrators in the system and further obtain the user name: Expolit: http://www.xxx.com/index.php?title=%E7%89%B9%E6%AE%8A%3A%E6%97%A5%E5%BF%97&type=rights&user=&page=&year=&month=-1

Step3: MediaWiki system default login entry, without any times of verification and verification code, so the last step is to directly load the previous user name and dictionary for weak password blasting: Expolit: http://www.xx.com/index.php?title=Special:UserLogin

If you are lucky enough to have a common weak password, you can log in to the background and modify the content of the WiKi. Because the MediaWiki administrator does not have high upload permissions and cannot upload PHP files, getShell may be a little difficult, but now you can modify the content of the entire enterprise business introduction website. These businesses are mostly enterprise-focused open platforms, and the impact is already big enough.

Infiltrate the DokuWiki system idea

If you see the following UI-style WIKI application, it is Dokuwiki, and there are only three steps to infiltrate the target. It’s worth noting that, due to a design flaw in Dokuwiki’s background, simply being able to log in to an administrator account means that getShell can then penetrate the Intranet:

Step1: find the list of users in the DoKuWiki system:

In Dokuwiki’s media manager, each file revision history explicitly lists users and user names that exist in the system

Expolit: http://www.xxx.com/doku.php?id=start&do=media&ns=

Dokuwiki’s Wiki revision history can also be easily gleaned from users in the system

Expolit: http://www.xxx.com/doku.php?id=start&do=revisions

Some WIKI systems even allow you to register directly, and you can even try registering a user through the Expolit link below to get inside the corporate WIKI system

Expolit: http://www.xxx.com/doku.php?id=start&do=register

Step2: Find the default login entry of DoKuWiki system. Again, there is no verification and verification code, so directly load the previous user name and dictionary for weak password blasting, the default login entry of Doku

http://www.xxx.com/doku.php?id=start&do=login
Copy the code

Step3: login management background, the use of Dokuwiki Getshellhttp://www.xxx.com/doku.php?id=start&do=admin&page=extension plug-in management function

0x02 Real Case

---

[Example 1] The administrator of a Dokuwiki system has a weak password and goes directly to the background getShell white Hat finds that the administrator of a Dokuwiki system has a weak password. After logging in, getShell successfully obtains the permission of the server by entering the plug-in management interface mentioned in the idea of penetrating Dokuwiki above.

[example 2] internal portal netease a WIKI is not set registration authority verification, registered users steal internal information directly The author found that netease internal WIKI by baidu search engine system, external, and open the registration function, as long as the registration by your email can successfully access to login into the system, get a small amount of internal information, Because of some protection, the user group permissions were isolated, so the author did not get a higher level of permissions.

0x03 Solution

---

1. In fact, the vulnerability of third-party open source Wiki is similar to the popular WordPress and Discuz background weak password vulnerability. Obviously, the two types of third-party website building systems mentioned above have been given enough attention, but the current Wiki system is not. As long as after the development of the default login and registration page to delete or modify the name, enterprise backend WAF access restriction configuration, at the same time strengthen the security awareness of employees, eliminate weak password, can effectively prevent the enterprise Wiki system from being penetrated by attackers, thus losing the highest rights of the server.

2. When using a third-party open source WIKI as an internal collaboration platform, special care should be taken to set permissions on each page and strictly limit the number of users registered with the system by external users.

3.GitBook is a command line tool based on Node.js. You can use Github/Git and Markdown to create beautiful e-books.

Website: www.gitbook.com/