erwanlr
commented
10 years ago Hi, the detection for this one is already in WPScan: https://github.com/wpscanteam/wpscan/commit/dd53c7b200dc12d3c0b7a3ba2b94e134cae13336 (Some details can be found here: https://github.com/wpscanteam/wpscan/issues/506)
For the vuln, payloads from all the exploits / advisories I found are wrong. I was able to reproduce the exploit with the following payload:
http://wp.lab/wordpress-3.9.1/wp-content/timthumbs/2.8.13-ws-enabled.php?webshot=1&src=http://picasa.com/$(touch$IFS/tmp/file.txt)The major change from advisories is the value of the src param. It wasn't working with the same URL as the target, in fact you have to use an allowed site listed here (this might change depending on the version you are using): https://code.google.com/p/timthumb/source/browse/trunk/timthumb.php?r=219#131
Please also note that the path to the CutyCapt must be correct (I had to modify it in my Debian lab).
Furthermore, if you have some up to date timthumb locations, we would be interested :) (so far we have all those: https://github.com/wpscanteam/wpscan/blob/master/data/timthumbs.txt)
hexlax
I was not able to reproduce the latest Timthumb Vulnerability in lab while following the directions for enabling webshots.. Although the beta webshots feature is disabled by default and requires manual source building of CutyCapt on the server, preliminary searches of "(‘WEBSHOT_ENABLED’, true)" here on github did produce about five results.
Was anyone able to verify that this vuln exists for RCE? If so, is this on roadmap to include in future wpscan development?
Vuln announcements: http://cxsecurity.com/issue/WLB-2014060134 http://blog.sucuri.net/2014/06/timthumb-webshot-code-execution-exploit-0-day.html
Thanks for contributing to such a great tool!