@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ .:. Exploit Title > MediaWiki < 1.29.1 - Multiple Vulnerabilities .:. Google Dorks .:. inurl:/index.php/Main_Page inurl:mw-config/index.php "The MediaWiki logo" "Please set up the wiki first" .:. Date: August 27, 2017 .:. Exploit Author: bRpsd .:. Skype contact: vegnox .:. Mail contact: cy@live.no .:. Vendor Homepage > https://www.mediawiki.org/ .:. Software Link > https://releases.wikimedia.org/mediawiki/1.29/mediawiki-1.29.1.tar.gz .:. Version: 1.29.1 latest! .:. Tested on > Linux, on local xampp @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Vulnerability 1: Weak upgrade key set in the configuration After the first setup of the script, a 16 length key is generated and saved in the configuration as the (upgrade key). It allows the key holder to upgrade the cms to the latest version. the key is about letters and numbers only: abcdefghijklmnopqrstuvwxyz0123456789 which is pretty weak and can be brute forced easily! since there's no recaptcha system or limitation when upgrading! Page Path: http://localhost/mw-config/?page=ExistingWiki Vulnerability 2: Download Database + Configuration any time just like the first. Anyone who accesses the upgrade page with the upgrade key, which can be acquired easily from the previous vulnerability above, can download the entire database and configuration by just settings variable localsettings to 1 : http://localhost/mw-config/?localsettings=1 -Enjoy