Wordpress Timthumb Scanner

Subyek: Wordpress Timthumb Scanner Tue Feb 21, 2012 9:26 pm

Bicara soal wordpress sapa sih yang gak kenal ini cms.. tapi disini saya bahas tentang bugnya pada timthumb..
hmmm.. apa sih itu timthumb... ?
Timthumb menurut saya sebuah kode php untuk me-resize ukuran gambar seperti gambar. Tapi di balik fungsi itu terdapat bug untuk upload file secara remote.
cara exploitnya laen kali aja dibahas ya ??
Atau mungkin agan-agan disini udah tau cara exploitnya.
Disini saya masih menggunakan perl.
ini scriptnya :

Code:: #!/usr/bin/perl -X
system ('clear');
print q(
___________.__ ___________.__ ___.
\__ ___/|__| ____\__ ___/| |__ __ __ _____\_ |__
| | | |/ \| | | | \| | \/ \| __ \
| | | | Y Y \ | | Y \ | / Y Y \ \_\ \
|____| |__|__|_| /____| |___| /____/|__|_| /___ /
\/ \/ \/ \/ Wordpress
http://black-c0de.org
<<----------------------------------------------------------------->>
Coded By Voldemort
<<----------------------------------------------------------------->>

);
my $target="";
if ($#ARGV >= 0 ) {
$target = $ARGV[0];chomp($target)
}
else
{
print "URL Target (Wordpress Path) ex: http://site.com\/blog/ => ";
$target = <STDIN>;chomp($target);
}
use HTTP::Request;
use HTTP::Request::Common;
use HTTP::Request::Common qw(POST);
use LWP::Simple;
use LWP 5.53;
use LWP::UserAgent;
use MIME::Base64;
my $dftr = 'tim.txt';
if (-e $dftr){
print "Database Exist..\n";
sleep(2);
print "Launch Now\n\n";
}
else
{
print "Database Not Exist..\n";
sleep(1);
print "Downloading database...\n";
system(decode_base64("d2dldCAtbyBsb2cgaHR0cDovL21hdHVyenlzY2kuY29tLnBsL19fbWF0dXJhMjAxMi90aW0gLU8gdGltLnR4dDtybSAtcmYgbG9n"));
print "Downloading Success...\nLaunch Now\n\n";
}
print "Waiting a few minute for searching vulnerable your target ($target)....!!!\n";
my $uagent = "Mozilla/5.0 (X11; Linux i686; rv:9.0.1) Gecko/20100101 Firefox/9.0.1";

my $jml=0;
open (data, "tim.txt");
@wordlist=<data>;
close data;
my $byk = scalar(@wordlist);
foreach (@wordlist) {
my $hsl= &get_content($target.$_);
if ($hsl =~ /TimThumb version/i) {
print "Your Can Exploit --> $target$_";
$jml=$jml+1;
}
}

if ($jml == 0){
print "Not Found TimThum\nThanks For Use My Script\nHappy Hacking\n";
}
else {
print "Found $jml TimThumb Exploit is --> http://www.exploit-db.com\/exploits\/17602/\n";
print "Thanks For Use My Script\nHappy Hacking\n";
}

sub get_content() {
my $url = $_[0];
my $ua = LWP::UserAgent->new(agent => $uagent);
$ua->timeout(7);
my $req = HTTP::Request->new(GET => $url);
my $res = $ua->request($req);
return $res->content;
}

Cara gunakannya :

root@voldemort:~# chmod +x <nama file>
ex :
root@voldemort:~# chmod +x timthumb.pl
root@voldemort:~# ./<namafile>
ex :
root@voldemort:~# ./timthumb.pl

[*]Input target. ex : [You must be registered and logged in to see this link.] (sesuaikan path blognya dan diakhiri tanda "/")

silakan di coba om, semoga bermanfaat.

Subyek: Re: Wordpress Timthumb Scanner Wed Feb 22, 2012 9:40 am

manteb script ny om,,
om,, ad subdomain bwt exploit ny ga???

Subyek: Re: Wordpress Timthumb Scanner Wed Feb 22, 2012 9:41 am

manteb script ny om,,
om,, ad subdomain bwt exploit ny ga???

» WordPress TimThumb Exploitation
» wordpress timthumb vulneralibility
» WordPress TimThumb Plugin - Remote Code Execution
» WordPress Security Vulnerability Scanner
» Bug Dork Timthumb