Get your server issues fixed by our experts for a price starting at just 25 USD/Hour. Click here to register and open a ticket with us now!

Author Topic: ET CURRENT_EVENTS Wordpress timthumb look-alike domain list RFI  (Read 3048 times)

0 Members and 1 Guest are viewing this topic.


  • Guest
WordPress is one of the worlds biggest blogging platforms and can be easily extended with vulnerable add-ons to support a variety of functions – from CMS’s to stores and pretty much anything in between. Within some web applications, themes may contain variables that refer to dynamic elements while in others, like WordPress, insecure PHP files used for caching and resizing images are surprisingly quite common.

So what’s all the fuss about? Recently, an 0day was discovered in a project called “TimThumb” which essentially, caches even remote files locally, without doing any proper sanitization. The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.

TimThumbCraft – Image Crafting Tool

The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image, is to either craft it yourself or by using an external tool. In this case, I decided to write a small tool for the job which also has a few encoding features, payload types, and of course, options for custom images.

Using the tool is pretty straight forward and intuitive. But what are its complete features?

List known vulnerable themes
Choose between 2 images or select your own
Enter your own code or use the Reverse PHP Shell
Encode your PHP Payload, this applies only if “code” is chosen
Base64 and Hexadecimal encoding is currently supported
Hexadecimal output of the created file. (Can be used in paste’s, etc.)
MD5 calculation of filename, that the target server will most likely use

It doesn’t work when you tried, why?

If the src field on the target server doesn’t require Base64-encoded strings as some do, the issue is most likely because the evil domain you created isn’t readable by the web server or because it isn’t in the list of allowed domains contained within the timthumb.php file. From version to version, this appears to have changed but in version 1.32, was a valid domain.

Q: What should the created subdomain look like?

Simply enough, you need to test in your web browser that you can access your subdomain and of course, upload the image file which you created with TimThumbCraft. If your image is displayed when you perform the call to the timthumb.php file on the target server, you may have to press CTRL+F5 in your browser as it may be the case that the image is locally cached.

Another very important thing is that it’s very easy to change the cache directory so in some cases, the cache directory on the target may not be named “cache”. Last but not least, from version to version, strings may be prepended to the file that you forced the target server to cache locally. Tested 1.33 in which the original researcher reported a vulnerability, it seemed like it created files without any extension. Therefore, So it was exploitable.

What can you do with eval()? Seriously

If you know PHP, you’re aware that you can do anything that the all-too-common malicious PHP shells can do. If you want to load a remote shell and allow_url_include is enabled within php.ini, use: include(“full url here”); and simply hit enter. Many RFI and LFI vulnerabilities are related to dynamic use of the include(); function in PHP.

Is there a patch for this vulnerability?

The latest version is secure from this vulnerability

Detecting the vulnerability

Be sure that you’re in the www / document root of your web server as you may not know where any timthumb files are located and what they’re named. Hence the reason it’s a very bad idea to just search for “timthumb.php” as a lot of researchers recommended.