Wednesday, August 3, 2011

WordPress TimThumb Plugin - Remote Code Execution

This plugin has a lot of variants. In the advisory made by MaXe, a temp folder is not found, but I found a lot of themes that include a temp folder that can be exploited this way:

Example: I first crafted a file that contains:


Edit: MaXe reported that I have trash in the output because my payload doesn't follow JPEG standards.

(A black dot in a GIF File + phpinfo();

Here I am uploading the file with the vulnerability:

Cache folder has our file:

Executing the script:

# Exploit Title: WordPress TimThumb Plugin - Remote Code Execution
# Google Dork: inurl:timthumb ext:php
# Date: 3rd August 2011
# Author: MaXe
# Software Link:
# Version: 1.32
# Screenshot: See attachment
# Tested on: Windows XP + Apache + PHP (XAMPP)

WordPress TimThumb (Theme) Plugin - Remote Code Execution

Versions Affected:
1.* - 1.32 (Only version 1.19 and 1.32 were tested.)
(Version 1.33 did not save the cache file as .php)

Info: (See references for original advisory)
TimThumb is an image resizing utility, widely used in many WordPress themes.

External Links:

- Mark Maunder (Original Researcher)
- MaXe (Indepedendent Proof of Concept Writer)

-:: The Advisory ::-
TimThumb is prone to a Remote Code Execution vulnerability, due to the
script does not check remotely cached files properly. By crafting a
special image file with a valid MIME-type, and appending a PHP file at
the end of this, it is possible to fool TimThumb into believing that it
is a legitimate image, thus caching it locally in the cache directory.

Attack URL: (Note! Some websites uses Base64 Encoding of the src GET-request.)

Stored file on the Target: (This can change from host to host.)
md5($src); means the input value of the 'src' GET-request - Hashed in MD5 format.

Proof of Concept File:

(Transparent GIF +

-:: Solution ::-
Update to the latest version 1.34 or delete the timthumb file.

NOTE: This file is often renamed and you should therefore issue
a command like this in a terminal: (Thanks to rAWjAW for this info.)
find . | grep php | xargs grep -s timthumb

Disclosure Information:
- Vulnerability Disclosed (Mark Maunder): 1st August 2011
- Vulnerability Researched (MaXe): 2nd August 2011
- Disclosed at The Exploit Database: 3rd August 2011

Thursday, May 5, 2011

Huawei HG520 - Obtención de contraseña de administrador de forma remota

Los módems Huawei HG520 de Telmex por default utilizan para la cuenta de administración:

Usuario: TELMEX
Contraseña: WEP Key default del equipo.

A partir del SSID se puede obtener las posibles WEP Key.

Hemos generado un script ( que nos permite generar una rainbow table con el SSID y WEP Key correspondientes de 3 OUI de Huawei (001E10, 002568 y 6416F0) [Cabe destacar que esto no hubiera sido posible sin el trabajo de: -]

Al obtener el prefijo del SSID lo introducimos al script “” que consulta la base de datos previamente generada y nos escribe el archivo “words.txt” con una lista de 768 posibles WEP Keys el cual se puede utilizar con herramientas como Brutus para realizar un ataque diccionario.

Se obtienen 768 posibles WEP Keys porque en cada OUI se repite el mismo SSID 256 veces, dando así 256 posibilidades de WEP Keys, como hemos procesado 3 OUI distintos 256 * 3 = 768

Ejemplo del ataque:

Para obtener el SSID de un modem remoto por medio de la interfaz web sin estar autenticado utilizaremos la vulnerabilidad “HUAWEI ECHOLIFE HG520c Revelación de Información” publicada por HKM que consiste en abrir la página:
http://<ip remota>/Listadeparametros.html


Introducimos el SSID obtenido a

Python Script

Configuramos Brutus con esta lista de contraseñas y con el usuario “TELMEX”.



Rainbowtable generada:

Part 1
Part 2
Part 3
Part 4
Part 5

Obtaining administrator account credentials of Huawei HG520C

Huawei HG520 Telmex modems use by default this account:

Password: WEP Key default of the equipment

The possible WEP keys can be obtained by its SSID.

We have generated a script ( that allows us generate a rainbow table with the SSID and corresponding WEP Key of 3 Huawei OUI (001E10, 002568 y 6416F0) [This would not have been possible without the work of: -]

The obtained SSID is then introduced to “” which queries the previously generated database and writes a file (words.txt) with the list of 768 possible WEP Keys (words.txt) that can be introduced to tools like Brutus to make a dictionary attack.

768 possible WEP Keys are obtained because in each OUI the same SSID is repeated 256.
Thus, 256 WEP Keys * 3 OUIs = 768 WEP Keys

Example of the attack:

To obtain the SSID from a remote modem we will use the vulnerability “HUAWEI ECHOLIFE HG520C Revelation of Information” published by HKM that consists on opening the page:
http://<REMOTE IP>/Listadeparametros.html


Then we introduce the obtained SSID to

Python Script

We configure Brutus with this list of passwords with the user “TELMEX”.



Generated rainbowtable:

Part 1
Part 2
Part 3
Part 4
Part 5