Textpattern until version 4.8.3 allows authenticated users to upload any PHP file. This script automates the process and allows to delete the uploaded file.
python3 exploit.py -t TARGET -u USER -p PASSWORD [-c COMMAND] [-f FILENAME] [-d]
- -t: Url to attack (without /textpattern)
- -u: Username
- -p: Password
- -c: Command to execute (Optional). Default: "whoami"
- -f: Uploaded PHP file name (Optional). Default: "testing.php"
- -d: Delete the uploaded PHP file (Optional). Default: False.