Fix #506 - Timthumbs WebShot RCE detection

2014-07-01 21:44:39 +02:00
parent f9b10dc9db
commit dd53c7b200
3 changed files with 52 additions and 7 deletions
--- a/lib/common/models/wp_timthumb/output.rb
+++ b/lib/common/models/wp_timthumb/output.rb
@@ -4,7 +4,10 @@ class WpTimthumb < WpItem
  module Output

    def output(verbose = false)
-      puts " | #{vulnerable? ? red('[!] Vulnerable') : green('[i] Not Vulnerable')} #{self}"
+      puts
+      puts "#{green('[+]')} #{self}" #this will also output the version number if detected
+
+      vulnerabilities.output
    end

  end
--- a/lib/common/models/wp_timthumb/vulnerable.rb
+++ b/lib/common/models/wp_timthumb/vulnerable.rb
@@ -2,8 +2,54 @@

 class WpTimthumb < WpItem
  module Vulnerable
-    def vulnerable?
-      VersionCompare.is_newer_or_same?(version, '1.34')
+    # @return [ Vulnerabilities ]
+    def vulnerabilities
+      vulns = Vulnerabilities.new
+
+      [:check_rce_132, :check_rce_webshot].each do |method|
+        vuln = self.send(method)
+
+        vulns << vuln if vuln
+      end
+      vulns
+    end
+
+    def check_rce_132
+      return rce_132_vuln unless VersionCompare.is_newer_or_same?('1.34', version)
+    end
+
+    # Vulnerable versions : >= 2.0 and < 2.8.14
+    def check_rce_webshot
+      return if VersionCompare.is_newer_or_same?('2.8.14', version) || VersionCompare.is_newer_or_same?(version, '2.0')
+
+      response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))
+
+      return rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
+    end
+
+    # @return [ Array<String> ] The default allowed domains (between the 2.0 and 2.8.13)
+    def default_allowed_domains
+      %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
+    end
+
+    # @return [ Vulnerability ] The RCE in the <= 1.32
+    def rce_132_vuln
+      Vulnerability.new(
+        'Timthumb <= 1.32 Remote Code Execution',
+        'RCE',
+        { exploitdb: ['17602'] },
+        '1.33'
+      )
+    end
+
+    # @return [ Vulnerability ] The RCE due to the WebShot in the <= 2.8.13
+    def rce_webshot_vuln
+      Vulnerability.new(
+        'Timthumb <= 2.8.13 WebShot Remote Code Execution',
+        'RCE',
+        { url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
+        '2.8.14'
+      )
    end
  end
 end
--- a/wpscan.rb
+++ b/wpscan.rb
@@ -283,12 +283,8 @@ def main
      puts
      if !wp_timthumbs.empty?
        puts "#{green('[+]')} We found #{wp_timthumbs.size} timthumb file/s:"
-        puts

        wp_timthumbs.output(wpscan_options.verbose)
-
-        puts
-        puts red(' * Reference: http://www.exploit-db.com/exploits/17602/')
      else
        puts "#{green('[+]')} No timthumb files found"
      end