Hello aspiring hackers. In this howto, we will see another file upload exploit , this time in Tiki Wiki CMS Groupware version <=15.1. Tiki Wiki CMS Groupware or simply Tiki, originally known as TikiWiki, is a free and open source Wiki-based content management system and online office suite. It contains a number of collaboration features allowing it to operate as a Groupware. Groupware is an application software designed to help people involved in a common task to achieve their goals.
This exploit takes advantage of a RFI vulnerability in one of the 3rd party components, ELFinder 2.0. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload a PHP file.
Start Metasploit and load the exploit as shown below. Type command “show options” to see the options required to run this exploit.
Set the target as shown below and check if it is vulnerable using “check“command.
Type command “show payloads” to see the payloads we can set to this exploit. Set the payload as I have set below.
Check the options once again after setting the payload. They should look like below.
Let’s run this exploit by typing command “run”. We can see that we successfully got the meterpreter shell on the target as shown below.