Module: WpTimthumb::Vulnerable

Included in:
WpTimthumb
Defined in:
lib/common/models/wp_timthumb/vulnerable.rb

Instance Method Summary collapse

Instance Method Details

#check_rce_132Object


17
18
19
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 17

def check_rce_132
  return rce_132_vuln unless VersionCompare.lesser_or_equal?('1.33', version)
end

#check_rce_webshotObject

Vulnerable versions : > 1.35 (or >= 2.0) and < 2.8.14


22
23
24
25
26
27
28
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 22

def check_rce_webshot
  return if VersionCompare.lesser_or_equal?('2.8.14', version) || VersionCompare.lesser_or_equal?(version, '1.35')

  response = Browser.get(uri.merge('?webshot=1&src=http://' + default_allowed_domains.sample))

  return rce_webshot_vuln unless response.body =~ /WEBSHOT_ENABLED == true/
end

#default_allowed_domainsArray<String>

Returns The default allowed domains (between the 2.0 and 2.8.13)

Returns:

  • (Array<String>)

    The default allowed domains (between the 2.0 and 2.8.13)


31
32
33
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 31

def default_allowed_domains
  %w(flickr.com picasa.com img.youtube.com upload.wikimedia.org)
end

#rce_132_vulnVulnerability

Returns The RCE in the <= 1.32

Returns:


36
37
38
39
40
41
42
43
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 36

def rce_132_vuln
  Vulnerability.new(
    'Timthumb <= 1.32 Remote Code Execution',
    'RCE',
    { exploitdb: ['17602'] },
    '1.33'
  )
end

#rce_webshot_vulnVulnerability

Returns The RCE due to the WebShot in the <= 2.8.13

Returns:

  • (Vulnerability)

    The RCE due to the WebShot in the <= 2.8.13


46
47
48
49
50
51
52
53
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 46

def rce_webshot_vuln
  Vulnerability.new(
    'Timthumb <= 2.8.13 WebShot Remote Code Execution',
    'RCE',
    { url: ['http://seclists.org/fulldisclosure/2014/Jun/117'] },
    '2.8.14'
  )
end

#vulnerabilitiesVulnerabilities

Returns:


6
7
8
9
10
11
12
13
14
15
# File 'lib/common/models/wp_timthumb/vulnerable.rb', line 6

def vulnerabilities
  vulns = Vulnerabilities.new

  [:check_rce_132, :check_rce_webshot].each do |method|
    vuln = self.send(method)

    vulns << vuln if vuln
  end
  vulns
end