Skip to content

b-abderrahmane/CVE-2021-29447-POC

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
README.md
README.md
 
 
colored_formatter.py
colored_formatter.py
 
 
generate_payloads.py
generate_payloads.py
 
 

Repository files navigation

CVE-2021-29447-POC

About

This script automates the required steps to exploit CVE-2021-29447 in the media upload funnctionality in Wordpress and use it to extract files vi an XXE.

Usage

 ./generate_payloads.py --help
usage: generate_payloads.py [-h] [--local-ip LOCAL_IP] [--local-port LOCAL_PORT] [--media-payload MEDIA_PAYLOAD] [--dtd-payload DTD_PAYLOAD]
                            [--files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]]

CVE-2021-29447 payload generator

options:
  -h, --help            show this help message and exit
  --local-ip LOCAL_IP   Local machine IP address
  --local-port LOCAL_PORT
                        Local machine port which will run an HTTP server to receive the exfiltrated files
  --media-payload MEDIA_PAYLOAD
                        Name of the .wav file containing the exploit to be generated
  --dtd-payload DTD_PAYLOAD
                        Name of the .dtd file containing the exploit to be generated
  --files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]

The script does the following:

  • First step: It generates a .wav payload you need to upload to the target server. You can use --media-payload to pass its name.
  • Second step: It generates a DTD document which will be server via an http server locally. You can use --dtd-payload to pass its name. This file will contain the absolute paths of the files you would like to extract from the target machine, you can specific a list of comma separated files via --files-to-fetch
  • Third step: It runs a simple Python HTTP server to which the .wav payload will connect back to both to fetch the second part of the payload (the DTD document) and to send the fetched files from the remote system.
  • Fourth step: If all of the files you specified exist on the remote filesystem, these files will be sent back to the HTTP server in a B64 encoded format, the script will then decode them and save them to your current working directory.

Disclaimer

This software has been created purely for the purposes of research and for the development of effective mitigation techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.

About

No description, website, or topics provided.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages