garfield/wpscan
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix #506 - Timthumbs WebShot RCE detection

Browse Source
This commit is contained in:
erwanlr
2014-07-01 21:44:39 +02:00
parent f9b10dc9db
commit dd53c7b200
3 changed files with 52 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
lib/common/models/wp_timthumb/output.rb
View File

@@ -4,7 +4,10 @@ class WpTimthumb < WpItem
module Output module Output
def output(verbose = false) def output(verbose = false)
puts " | #{vulnerable? ? red('[!] Vulnerable') : green('[i] Not Vulnerable')} #{self}" puts
puts "#{green('[+]')} #{self}" #this will also output the version number if detected
vulnerabilities.output
end end
end end

50
lib/common/models/wp_timthumb/vulnerable.rb
View File

@@ -2,8 +2,54 @@
class WpTimthumb < WpItem class WpTimthumb < WpItem
module Vulnerable module Vulnerable
def vulnerable? # @return [ Vulnerabilities ]
VersionCompare.is_newer_or_same?(version, '1.34') def vulnerabilities
vulns = Vulnerabilities.new
[:check_rce_132, :check_rce_webshot].each do |method|
vuln = self.send(method)
vulns << vuln if vuln
end
vulns
end
def check_rce_132
return rce_132_vuln unless VersionCompare.is_newer_or_same?('1.34', version)
end
# Vulnerable versions : >= 2.0 and < 2.8.14
def check_rce_webshot
return if VersionCompare.is_newer_or_same?('2.8.14', version) || VersionCompare.is_newer_or_same?(version, '2.0')
response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))
return rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
end
# @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
def default_allowed_domains
%w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
end
# @return [ Vulnerability ] The RCE in the <= 1.32
def rce_132_vuln
Vulnerability.new(
'Timthumb <= 1.32 Remote Code Execution',
'RCE',
{ exploitdb: ['17602'] },
'1.33'
)
end
# @return [ Vulnerability ] The RCE due to the WebShot in the <= 2.8.13
def rce_webshot_vuln
Vulnerability.new(
'Timthumb <= 2.8.13 WebShot Remote Code Execution',
'RCE',
{ url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
'2.8.14'
)
end end
end end
end end

4
wpscan.rb
View File

@@ -283,12 +283,8 @@ def main
puts puts
if !wp_timthumbs.empty? if !wp_timthumbs.empty?
puts "#{green('[+]')} We found #{wp_timthumbs.size} timthumb file/s:" puts "#{green('[+]')} We found #{wp_timthumbs.size} timthumb file/s:"
puts
wp_timthumbs.output(wpscan_options.verbose) wp_timthumbs.output(wpscan_options.verbose)
puts
puts red(' * Reference: http://www.exploit-db.com/exploits/17602/')
else else
puts "#{green('[+]')} No timthumb files found" puts "#{green('[+]')} No timthumb files found"
end end