Share
## https://sploitus.com/exploit?id=206BA272-070A-56FA-922D-97480B98FBB6
# CVE-2021-29447-POC

## About

This script automates the required steps to exploit [CVE-2021-29447](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29447) in the media upload funnctionality in Wordpress and use it to extract files vi an XXE.

## Usage

```
 ./generate_payloads.py --help
usage: generate_payloads.py [-h] [--local-ip LOCAL_IP] [--local-port LOCAL_PORT] [--media-payload MEDIA_PAYLOAD] [--dtd-payload DTD_PAYLOAD]
                            [--files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]]

CVE-2021-29447 payload generator

options:
  -h, --help            show this help message and exit
  --local-ip LOCAL_IP   Local machine IP address
  --local-port LOCAL_PORT
                        Local machine port which will run an HTTP server to receive the exfiltrated files
  --media-payload MEDIA_PAYLOAD
                        Name of the .wav file containing the exploit to be generated
  --dtd-payload DTD_PAYLOAD
                        Name of the .dtd file containing the exploit to be generated
  --files-to-fetch FILES_TO_FETCH [FILES_TO_FETCH ...]
```

The script does the following:

- First step: It generates a .wav payload you need to upload to the target server. You can use `--media-payload` to pass its name.
- Second step: It generates a DTD document which will be server via an http server locally. You can use `--dtd-payload` to pass its name. This file will contain the absolute paths of the files you would like to extract from the target machine, you can specific a list of comma separated files via `--files-to-fetch`
- Third step: It runs a simple Python HTTP server to which the `.wav` payload will connect back to both to fetch the second part of the payload (the DTD document) and to send the fetched files from the remote system.
- Fourth step: If all of the files you specified exist on the remote filesystem, these files will be sent back to the HTTP server in a B64 encoded format, the script will then decode them and save them to your current working directory.

## Disclaimer

This software has been created purely for the purposes of research and for the development of effective mitigation techniques, and is not intended to be used to attack systems except where explicitly authorized. Project maintainers are not responsible or liable for misuse of the software. Use responsibly.