From dd53c7b200dc12d3c0b7a3ba2b94e134cae13336 Mon Sep 17 00:00:00 2001
From: erwanlr <erwan.lr@gmail.com>
Date: Tue, 1 Jul 2014 21:44:39 +0200
Subject: [PATCH] Fix #506 - Timthumbs WebShot RCE detection

---
 lib/common/models/wp_timthumb/output.rb     |  5 ++-
 lib/common/models/wp_timthumb/vulnerable.rb | 50 ++++++++++++++++++++-
 wpscan.rb                                   |  4 --
 3 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/lib/common/models/wp_timthumb/output.rb b/lib/common/models/wp_timthumb/output.rb
index 10e0a944..1dd0d388 100644
--- a/lib/common/models/wp_timthumb/output.rb
+++ b/lib/common/models/wp_timthumb/output.rb
@@ -4,7 +4,10 @@ class WpTimthumb < WpItem
   module Output
 
     def output(verbose = false)
-      puts " | #{vulnerable? ? red('[!] Vulnerable') : green('[i] Not Vulnerable')} #{self}"
+      puts
+      puts "#{green('[+]')} #{self}" #this will also output the version number if detected
+
+      vulnerabilities.output
     end
 
   end
diff --git a/lib/common/models/wp_timthumb/vulnerable.rb b/lib/common/models/wp_timthumb/vulnerable.rb
index 18361639..b644836a 100644
--- a/lib/common/models/wp_timthumb/vulnerable.rb
+++ b/lib/common/models/wp_timthumb/vulnerable.rb
@@ -2,8 +2,54 @@
 
 class WpTimthumb < WpItem
   module Vulnerable
-    def vulnerable?
-      VersionCompare.is_newer_or_same?(version, '1.34')
+    # @return [ Vulnerabilities ]
+    def vulnerabilities
+      vulns = Vulnerabilities.new
+
+      [:check_rce_132, :check_rce_webshot].each do |method|
+        vuln = self.send(method)
+
+        vulns << vuln if vuln
+      end
+      vulns
+    end
+
+    def check_rce_132
+      return rce_132_vuln unless VersionCompare.is_newer_or_same?('1.34', version)
+    end
+
+    # Vulnerable versions : >= 2.0 and < 2.8.14
+    def check_rce_webshot
+      return if VersionCompare.is_newer_or_same?('2.8.14', version) || VersionCompare.is_newer_or_same?(version, '2.0')
+
+      response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))
+
+      return rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
+    end
+
+    # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
+    def default_allowed_domains
+      %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
+    end
+
+    # @return [ Vulnerability ] The RCE in the <= 1.32
+    def rce_132_vuln
+      Vulnerability.new(
+        'Timthumb <= 1.32 Remote Code Execution',
+        'RCE',
+        { exploitdb: ['17602'] },
+        '1.33'
+      )
+    end
+
+    # @return [ Vulnerability ] The RCE due to the WebShot in the <= 2.8.13
+    def rce_webshot_vuln
+      Vulnerability.new(
+        'Timthumb <= 2.8.13 WebShot Remote Code Execution',
+        'RCE',
+        { url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
+        '2.8.14'
+      )
     end
   end
 end
diff --git a/wpscan.rb b/wpscan.rb
index fd94fc01..3e426169 100755
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -283,12 +283,8 @@ def main
       puts
       if !wp_timthumbs.empty?
         puts "#{green('[+]')} We found #{wp_timthumbs.size} timthumb file/s:"
-        puts
 
         wp_timthumbs.output(wpscan_options.verbose)
-
-        puts
-        puts red(' * Reference: http://www.exploit-db.com/exploits/17602/')
       else
         puts "#{green('[+]')} No timthumb files found"
       end