Class: WPScan::Model::Timthumb

Inherits:
InterestingFinding show all
Includes:
Vulnerable
Defined in:
app/models/timthumb.rb

Overview

Timthumb

Constant Summary

Constants included from Finders::Finding

Finders::Finding::FINDING_OPTS

Instance Attribute Summary collapse

Attributes inherited from InterestingFinding

#to_s, #url

Instance Method Summary collapse

Methods included from Vulnerable

#filtered_vulnerabilities, #vulnerability_filter, #vulnerable?

Methods inherited from InterestingFinding

#==, #entries, #type

Methods included from References

#cve_url, #cve_urls, #cves, #exploitdb_ids, #exploitdb_url, #exploitdb_urls, #msf_modules, #msf_url, #msf_urls, #packetstorm_ids, #packetstorm_url, #packetstorm_urls, #references, #references=, #references_urls, #securityfocus_ids, #securityfocus_url, #securityfocus_urls, #urls, #wpvulndb_ids, #wpvulndb_url, #wpvulndb_urls, #youtube_url, #youtube_urls

Methods included from Finders::Finding

#<=>, #confidence, #confidence=, #confirmed_by, #eql?, included, #interesting_entries, #parse_finding_options

Constructor Details

#initialize(url, opts = {}) ⇒ Timthumb

Returns a new instance of Timthumb.

Parameters:

  • url (String)
  • opts (Hash) (defaults to: {})

Options Hash (opts):

  • :mode (Symbol)

    The mode to use to detect the version



14
15
16
17
18
 
# File 'app/models/timthumb.rb', line 14

def initialize(url, opts = {})
  super

  @version_detection_opts = opts[:version_detection] || {}
end

Instance Attribute Details

#version_detection_optsObject (readonly)

Returns the value of attribute version_detection_opts.



9
10
11
 
# File 'app/models/timthumb.rb', line 9

def version_detection_opts
  @version_detection_opts
end

Instance Method Details

#default_allowed_domainsArray<String>

Returns The default allowed domains (between the 2.0 and 2.8.13).

Returns:

  • (Array<String>)

    The default allowed domains (between the 2.0 and 2.8.13)



70
71
72
 
# File 'app/models/timthumb.rb', line 70

def default_allowed_domains
  %w[flickr.com picasa.com img.youtube.com upload.wikimedia.org]
end

#rce_132_vulnVulnerability

Returns The RCE in the <= 1.32.

Returns:



40
41
42
43
44
45
46
47
 
# File 'app/models/timthumb.rb', line 40

def rce_132_vuln
  Vulnerability.new(
    'Timthumb <= 1.32 Remote Code Execution',
    references: { exploitdb: ['17602'] },
    type: 'RCE',
    fixed_in: '1.33'
  )
end

#rce_webshot_vulnVulnerability

Returns The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13.

Returns:

  • (Vulnerability)

    The RCE due to the WebShot in the > 1.35 (or >= 2.0) and <= 2.8.13



50
51
52
53
54
55
56
57
58
59
60
 
# File 'app/models/timthumb.rb', line 50

def rce_webshot_vuln
  Vulnerability.new(
    'Timthumb <= 2.8.13 WebShot Remote Code Execution',
    references: {
      url: ['http://seclists.org/fulldisclosure/2014/Jun/117', 'https://github.com/wpscanteam/wpscan/issues/519'],
      cve: '2014-4663'
    },
    type: 'RCE',
    fixed_in: '2.8.14'
  )
end

#version(opts = {}) ⇒ Model::Version, false

Parameters:

  • opts (Hash) (defaults to: {})

Returns:



23
24
25
26
27
 
# File 'app/models/timthumb.rb', line 23

def version(opts = {})
  @version = Finders::TimthumbVersion::Base.find(self, version_detection_opts.merge(opts)) if @version.nil?

  @version
end

#vulnerabilitiesArray<Vulnerability>

Returns:



30
31
32
33
34
35
36
37
 
# File 'app/models/timthumb.rb', line 30

def vulnerabilities
  vulns = []

  vulns << rce_webshot_vuln if version == false || (version > '1.35' && version < '2.8.14' && webshot_enabled?)
  vulns << rce_132_vuln if version == false || version < '1.33'

  vulns
end

#webshot_enabled?Boolean

Returns:

  • (Boolean) 


63
64
65
66
67
 
# File 'app/models/timthumb.rb', line 63

def webshot_enabled?
  res = Browser.get(url, params: { webshot: 1, src: "http://#{default_allowed_domains.sample}" })

  !res.body.include?('WEBSHOT_ENABLED == true')
end