Skip to content
/ CVE-2021-29447 Public
forked from motikan2010/CVE-2021-29447

WordPress - Authenticated XXE (CVE-2021-29447)

0 stars 11 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

gwerneckp/CVE-2021-29447

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
malicious_wav_generator
malicious_wav_generator
 
 
.env
.env
 
 
.gitignore
.gitignore
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
exploit.py
exploit.py
 
 
requirements.txt
requirements.txt
 
 
setup.sh
setup.sh
 
 

Repository files navigation

CVE-2021-29447

Overview

This repository contains a Proof of Concept (PoC) script for exploiting a XML parsing issue in the ID3 audio parsing library, used by WordPress. The vulnerability allows authenticated to upload modified WAVE files to perform XML External Entity (XXE) attacks, which can lead to further Server Side Request Forgery (SSRF) and Remote File Inclusion (RFI) attacks.

Requirements

  • Python 3
  • Node.js

Setup

Setup a virtual environment with virtualenv and manually install dependencies from requirements.txt if you don't want this script polluting your dependencies.

make

Usage

Run python3 exploit.py with the following arguments:

  • -u or --url: The target URL
  • -l or --lhost: The attacker's IP address
  • -p or --lport (default=8001): The attacker's port
  • -cH or --cookie-hash: The hash used in Wordpress cookies
  • -cW or --cookie-wordpress: The cookie of the Wordpress session (wordpress_[hash])
  • -cL or --cookie-logged: The cookie of the logged session (wordpress_logged_in_[hash])
  • -n or --nonce: The nonce of the Wordpress session
  • -pr or --proxy (default=None): The proxy to use (http://host:port)
  • -v or --verbose (default=False): Verbose mode
  • -nS or --not-save (default=False): Disable saving files to file sysetm

Additionally, certain parameters can be set in the .env file, which is not required, but eliminates the need to enter a large number of parameters in the terminal every time the script is executed. As an example, here's how I used this file to setup an attack against the Hack The Box box MetaTwo.

TARGET='http://metapress.htb/'
LHOST='10.10.16.6'
HASH='498b28797b9ccef61e19f54e27d9e6f4'
WORDPRESS_COOKIE='manager%7C1676155045%7CJoADxvLEt4V94OLBKuHwgbm9JAWQfKDIVgRQGlVItGN%7C5a74c25670b66477ddf27cb52415423fab52c9a9282004cf3174a9dcf1d65528'
WORDPRESS_LOGGED_IN_COOKIE='manager%7C1676155045%7CJoADxvLEt4V94OLBKuHwgbm9JAWQfKDIVgRQGlVItGN%7C3a7d916aa2ac358609d948a526e3a04a115e7fe257964d045b2334d061a53a8b'
NONCE='058a70707b'
LPORT='8001'

The script will first generate the malicious WAVE.

It will then open an interactive prompt that will get file paths and insert into the evil.dtd file. It will then upload the WAVE file triggering a request to our local evil.dtd file, and further triggering a remote file inclusion which will be sent back encoded in the p paremeter of the response route.

The script will then decode and print the file obtained from the XXE attack and save it to the file system.

To-do

  • Remove duplicate file prints (due to target making request twice)
  • Create a js script that can be put into the browser to retrieve all cookie parameters.

Note

Please use this script only for testing and educational purposes and always obtain written permission before testing any exploit on any target.

About

WordPress - Authenticated XXE (CVE-2021-29447)

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 91.1%
  • JavaScript 5.7%
  • Shell 2.0%
  • Makefile 1.2%