This repository contains a Proof of Concept (PoC) script for exploiting a XML parsing issue in the ID3 audio parsing library, used by WordPress. The vulnerability allows authenticated to upload modified WAVE files to perform XML External Entity (XXE) attacks, which can lead to further Server Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks.
- Python 3
- Node.js
Setup a virtual environment with virtualenv
and manually install dependencies from requirements.txt
if you don't want this script polluting your dependencies.
make
Run python3 exploit.py with the following arguments:
- -u or --url: The target URL
- -l or --lhost: The attacker's IP address
- -p or --lport (default=8001): The attacker's port
- -cH or --cookie-hash: The hash used in Wordpress cookies
- -cW or --cookie-wordpress: The cookie of the Wordpress session (wordpress_[hash])
- -cL or --cookie-logged: The cookie of the logged session (wordpress_logged_in_[hash])
- -n or --nonce: The nonce of the Wordpress session
- -pr or --proxy (default=None): The proxy to use (http://host:port)
- -v or --verbose (default=False): Verbose mode
- -nS or --not-save (default=False): Disable saving files to file sysetm
Additionally, certain parameters can be set in the .env
file, which is not required, but eliminates the need to enter a large number of parameters in the terminal every time the script is executed. As an example, here's how I used this file to setup an attack against the Hack The Box box MetaTwo.
TARGET='http://metapress.htb/'
LHOST='10.10.16.6'
HASH='498b28797b9ccef61e19f54e27d9e6f4'
WORDPRESS_COOKIE='manager%7C1676155045%7CJoADxvLEt4V94OLBKuHwgbm9JAWQfKDIVgRQGlVItGN%7C5a74c25670b66477ddf27cb52415423fab52c9a9282004cf3174a9dcf1d65528'
WORDPRESS_LOGGED_IN_COOKIE='manager%7C1676155045%7CJoADxvLEt4V94OLBKuHwgbm9JAWQfKDIVgRQGlVItGN%7C3a7d916aa2ac358609d948a526e3a04a115e7fe257964d045b2334d061a53a8b'
NONCE='058a70707b'
LPORT='8001'
The script will first generate the malicious WAVE.
It will then open an interactive prompt that will get file paths and insert into the evil.dtd
file. It will then upload the WAVE file triggering a request to our local evil.dtd
file, and further triggering a remote file inclusion which will be sent back encoded in the p
paremeter of the response
route.
The script will then decode and print the file obtained from the XXE attack and save it to the file system.
- Remove duplicate file prints (due to target making request twice)
- Create a
js
script that can be put into the browser to retrieve all cookie parameters.
Please use this script only for testing and educational purposes and always obtain written permission before testing any exploit on any target.