Recently tim thumb wordpress 0 day exploit is released by MaxE it caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.
References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html
source: http://www.exploit-db.com/wordpress-timthumb-exploitation/
TimThumbCraft – Image Crafting Tool
The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. Here is small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.
Feature List:List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use
References:
Proof of Concept: http://www.exploit-db.com/exploits/17602/
TimThumbCraft: Download it here
Demo Video (LQ): http://www.youtube.com/watch?v=udyEOzHK08E
Demo Video (HQ): https://rapidshare.com/files/2016620847/timthumb.avi
Original Info: http://markmaunder.com/2011/zero-day-vulnerability-in-many-wordpress-themes/
Vulnerable Themes: http://blog.sucuri.net/2011/08/timthumb-security-vulnerability-list-of-themes-including-it.html
source: http://www.exploit-db.com/wordpress-timthumb-exploitation/
Subscribe To Our Articles
PLEASE HELP US SHARE THIS ARTICLE
1 comments:
It would be nice if we could use add_image_size in the same fashion, but that only impacts images uploaded after the fact… with the dynamic resizing we can set the sizes at any time….