Skip to content

Instantly share code, notes, and snippets.

@lc-at

lc-at/timthumb.php

Created January 7, 2018 16:30
Show Gist options
  • Save lc-at/a2271a2a038a3a195c87881765a61b81 to your computer and use it in GitHub Desktop.
Save lc-at/a2271a2a038a3a195c87881765a61b81 to your computer and use it in GitHub Desktop.
Download ZIP
WordPress TimThumb Finder
Raw
timthumb.php
<html>
<title>WordPress TimThumb Finder</title>
<?php
/*
* WordPress TimThumb Finder
* Author : P4kL0nc4t
* Date : 07/01/2018
* Adapted from Wordpress TimThumb Finder v1.0 by Rafay Baloch (Python) -> https://dl.packetstormsecurity.net/UNIX/scanners/wptimthumb-scanner.txt
*/
if(isset($_REQUEST['url'])) {
$payload = array(
'/timthumb.php',
'/wp-content/plugins/cac-featured-content/timthumb.php?src=../../../',
'/wp-content/plugins/category-grid-view-gallery/includes/timthumb.php?src=../../../',
'/wp-content/plugins/category-list-portfolio-page/scripts/timthumb.php?src=../../../',
'/wp-content/plugins/cms-pack/timthumb.php?src=../../../',
'/wp-content/plugins/dp-thumbnail/timthumb/timthumb.php?src=../../../',
'/wp-content/plugins/extend-wordpress/helpers/timthumb/image.php?src=../../../',
'/wp-content/plugins/islidex/js/timthumb.php?src=../../../',
'/wp-content/themes/vulcan/timthumb.php?src=../../../',
'/wp-content/plugins/kino-gallery/timthumb.php?src=../../../',
'/wp-content/themes/orangemantra/functions/thumb.php?src=../../../../',
'/wp-content/plugins/lisl-last-image-slider/timthumb.php?src=../../../',
'/wp-content/plugins/really-easy-slider/inc/thumb.php?src=../../../',
'/wp-content/plugins/rent-a-car/libs/timthumb.php?src=../../../',
'/wp-content/plugins/verve-meta-boxes/tools/timthumb.php?src=../../../',
'/wp-content/plugins/vk-gallery/lib/timthumb.php?src=../../../',
'/wp-content/plugins/wp-marketplace/libs/timthumb.php?src=../../../',
'/wp-content/themes/13Floor/timthumb.php?src=../../../',
'/wp-content/themes/advanced-newspaper/timthumb.php?src=../../../',
'/wp-content/themes/Aggregate/thumb.php?src=../../../',
'/wp-content/themes/Aggregate/timthumb.php?src=../../../',
'/wp-content/themes/AmphionPro/script/timthumb.php?src=../../../',
'/wp-content/themes/aperture/thumb.php?src=../../../',
'/wp-content/themes/aperture/timthumb.php?src=../../../',
'/wp-content/themes/arras/library/timthumb.php?src=../../../',
'/wp-content/themes/arras-theme/library/timthumb.php?src=../../../',
'/wp-content/themes/Avenue/timthumb.php?src=../../../',
'/wp-content/themes/backstage/thumb.php?src=../../../',
'/wp-content/themes/backstage/timthumb.php?src=../../../',
'/wp-content/themes/Basic/timthumb.php?src=../../../',
'/wp-content/themes/biznizz/thumb.php?src=../../../',
'/wp-content/themes/biznizz/timthumb.php?src=../../../',
'/wp-content/themes/Bold/timthumb.php?src=../../../',
'/wp-content/themes/boldnews/thumb.php?src=../../../',
'/wp-content/themes/boldnews/timthumb.php?src=../../../',
'/wp-content/themes/broadcast/thumb.php?src=../../../',
'/wp-content/themes/bt/includes/timthumb.php?src=../../../',
'/wp-content/themes/bueno/thumb.php?src=../../../',
'/wp-content/themes/bueno/timthumb.php?src=../../../',
'/wp-content/themes/busybee/thumb.php?src=../../../',
'/wp-content/themes/busybee/timthumb.php?src=../../../',
'/wp-content/themes/c3/thumb.php?src=../../../',
'/wp-content/themes/cadabrapress/scripts/timthumb.php?src=../../../',
'/wp-content/themes/canvas/thumb.php?src=../../../',
'/wp-content/themes/canvas/timthumb.php?src=../../../',
'/wp-content/themes/CFWProfessional/timthumb.php?src=../../../',
'/wp-content/themes/Chameleon/timthumb.php?src=../../../',
'/wp-content/themes/city/scripts/timthumb.php?src=../../../',
'/wp-content/themes/cityguide/timthumb.php?src=../../../',
'/wp-content/themes/coda/thumb.php?src=../../../',
'/wp-content/themes/coffeebreak/thumb.php?src=../../../',
'/wp-content/themes/coffeebreak/timthumb.php?src=../../../',
'/wp-content/themes/coffeedesk/includes/timthumb.php?src=../../../',
'/wp-content/themes/comfy%20pro/thumb.php?src=../../../',
'/wp-content/themes/continuum/thumb.php?src=../../../',
'/wp-content/themes/continuum/timthumb.php?src=../../../',
'/wp-content/themes/crisp/thumb.php?src=../../../',
'/wp-content/themes/crisp/timthumb.php?src=../../../',
'/wp-content/themes/cruz/scripts/timthumb.php?src=../../../',
'/wp-content/themes/dailyedition/thumb.php?src=../../../',
'/wp-content/themes/dandelion_v2.6.1/functions/timthumb.php?src=../../../',
'/wp-content/themes/dandelion_v2.6.3/functions/timthumb.php?src=../../../',
'/wp-content/themes/dandelion_v2.6.4/functions/timthumb.php?src=../../../',
'/wp-content/themes/dcric/scripts/timthumb.php?src=../../../',
'/wp-content/themes/DeepBlue/timthumb.php?src=../../../',
'/wp-content/themes/deep-blue/timthumb.php?src=../../../',
'/wp-content/themes/DeepFocus/thumb.php?src=../../../',
'/wp-content/themes/DeepFocus/timthumb.php?src=../../../',
'/wp-content/themes/delegate/thumb.php?src=../../../',
'/wp-content/themes/delegate/timthumb.php?src=../../../',
'/wp-content/themes/delicate/thumb.php?src=../../../',
'/wp-content/themes/delicate/timthumb.php?src=../../../',
'/wp-content/themes/DelicateNews/timthumb.php?src=../../../',
'/wp-content/themes/deliciousmagazine/thumb.php?src=../../../',
'/wp-content/themes/deliciousmagazine/timthumb.php?src=../../../',
'/wp-content/themes/delight/scripts/timthumb.php?src=../../../',
'/wp-content/themes/develop/thumb.php?src=../../../',
'/wp-content/themes/diarise/thumb.php?src=../../../',
'/wp-content/themes/digitalfarm/thumb.php?src=../../../',
'/wp-content/themes/directory/timthumb.php?src=../../../',
'/wp-content/themes/dualshockers2/thumb.php?src=../../../',
'/wp-content/themes/duotive-three/includes/timthumb.php?src=../../../',
'/wp-content/themes/EarthlyTouch/timthumb.php?src=../../../',
'/wp-content/themes/eBusiness/timthumb.php?src=../../../',
'/wp-content/themes/ecobiz/timthumb.php?src=../../../',
'/wp-content/themes/editorial/thumb.php?src=../../../',
'/wp-content/themes/ElegantEstate/thumb.php?src=../../../',
'/wp-content/themes/ElegantEstate/timthumb.php?src=../../../',
'/wp-content/themes/eNews/thumb.php?src=../../../',
'/wp-content/themes/eNews/timthumb.php?src=../../../',
'/wp-content/themes/envision/thumb.php?src=../../../',
'/wp-content/themes/ephoto/thumb.php?src=../../../',
'/wp-content/themes/ePhoto/timthumb.php?src=../../../',
'/wp-content/themes/equator/timthumb.php?src=../../../',
'/wp-content/themes/eStore/timthumb.php?src=../../../',
'/wp-content/themes/Event/timthumb.php?src=../../../',
'/wp-content/themes/Feather/timthumb.php?src=../../../',
'/wp-content/themes/flashnews/thumb.php?src=../../../',
'/wp-content/themes/freshnews/thumb.php?src=../../../',
'/wp-content/themes/G6Feature/includes/thumb.php?src=../../../',
'/wp-content/themes/gallant/thumb.php?src=../../../',
'/wp-content/themes/gazette/thumb.php?src=../../../',
'/wp-content/themes/gazette/timthumb.php?src=../../../',
'/wp-content/themes/Glow/timthumb.php?src=../../../',
'/wp-content/themes/GrungeMag/timthumb.php?src=../../../',
'/wp-content/themes/headlines/thumb.php?src=../../../',
'/wp-content/themes/headlines/timthumb.php?src=../../../',
'/wp-content/themes/headlines_enhanced_v2/thumb.php?src=../../../',
'/wp-content/themes/idris/images/timthumb.php?src=../../../',
'/wp-content/themes/impacto/thumb.php?src=../../../',
'/wp-content/themes/insignio/images/timthumb.php?src=../../../',
'/wp-content/themes/InterPhase/timthumb.php?src=../../../',
'/wp-content/themes/kingsize/timthumb.php?src=../../../',
'/wp-content/themes/lifestyle/thumb.php?src=../../../',
'/wp-content/themes/LightBright/timthumb.php?src=../../../',
'/wp-content/themes/Linepress/timthumb.php?src=../../../',
'/wp-content/themes/livewire/thumb.php?src=../../../',
'/wp-content/themes/mademan/scripts/timthumb.php?src=../../../',
'/wp-content/themes/Magnificent/thumb.php?src=../../../',
'/wp-content/themes/manifesto/scripts/timthumb.php?src=../../../',
'/wp-content/themes/Max/thumb.php?src=../../../',
'/wp-content/themes/Memoir/thumb.php?src=../../../',
'/wp-content/themes/mimbo/scripts/timthumb.php?src=../../../',
'/wp-content/themes/mimbopro/scripts/timthumb.php?src=../../../',
'/wp-content/themes/minecraftapps.com/scripts/timthumb.php?src=../../../',
'/wp-content/themes/mini-lab/functions/timthumb.php?src=../../../',
'/wp-content/themes/Modest/thumb.php?src=../../../',
'/wp-content/themes/Modest/timthumb.php?src=../../../',
'/wp-content/themes/modularity/includes/timthumb.php?src=../../../',
'/wp-content/themes/modularity2/includes/timthumb.php?src=../../../',
'/wp-content/themes/multidesign/scripts/timthumb.php?src=../../../',
'/wp-content/themes/muse/scripts/timthumb.php?src=../../../',
'/wp-content/themes/myjourney/thumb.php?src=../../../',
'/wp-content/themes/myjourney_3.1/thumb.php?src=../../../',
'/wp-content/themes/MyProduct/timthumb.php?src=../../../',
'/wp-content/themes/NewsPro/timthumb.php?src=../../../',
'/wp-content/themes/Nova/timthumb.php?src=../../../',
'/wp-content/themes/Nyke/timthumb.php?src=../../../',
'/wp-content/themes/ocram_2/thumb.php?src=../../../',
'/wp-content/themes/optimize/thumb.php?src=../../../',
'/wp-content/themes/optimize/timthumb.php?src=../../../',
'/wp-content/themes/OptimizePress/timthumb.php?src=../../../',
'/wp-content/themes/overeasy/timthumb.php?src=../../../',
'/wp-content/themes/pearlie_14%20dec/scripts/timthumb.php?src=../../../',
'/wp-content/themes/PersonalPress/timthumb.php?src=../../../',
'/wp-content/themes/photoria/scripts/timthumb.php?src=../../../',
'/wp-content/themes/photo-workshop/includes/timthumb.php?src=../../../',
'/wp-content/themes/Polished/timthumb.php?src=../../../',
'/wp-content/themes/postcard/thumb.php?src=../../../',
'/wp-content/themes/premiumnews/thumb.php?src=../../../',
'/wp-content/themes/premiumnews/timthumb.php?src=../../../',
'/wp-content/themes/productum/thumb.php?src=../../../',
'/wp-content/themes/profitstheme/thumb.php?src=../../../',
'/wp-content/themes/prosto/functions/thumb.php?src=../../../',
'/wp-content/themes/PureType/timthumb.php?src=../../../',
'/wp-content/themes/purevision/scripts/timthumb.php?src=../../../',
'/wp-content/themes/Quadro/timthumb.php?src=../../../',
'/wp-content/themes/redlight/includes/timthumb.php?src=../../..//coffeebreak/thumb.php?src=../../../',
'/wp-content/themes/Reporter/timthumb.php?src=../../../',
'/wp-content/themes/retreat/thumb.php?src=../../../',
'/wp-content/themes/rockstar/thumb.php?src=../../../',
'/wp-content/themes/rockwell_v1.5/scripts/timthumb.php?src=../../../',
'/wp-content/themes/rt_crystalline_wp/thumb.php?src=../../../',
'/wp-content/themes/rt_panacea_wp/thumb.php?src=../../../',
'/wp-content/themes/rt_syndicate_wp/thumb.php?src=../../../',
'/wp-content/themes/sealight/thumb.php?src=../../../',
'/wp-content/themes/SimplePress/timthumb.php?src=../../../',
'/wp-content/themes/simplicity/thumb.php?src=../../../',
'/wp-content/themes/simplicity/timthumb.php?src=../../../',
'/wp-content/themes/skeptical/thumb.php?src=../../../',
'/wp-content/themes/skeptical/timthumb.php?src=../../../',
'/wp-content/themes/snapshot/thumb.php?src=../../../',
'/wp-content/themes/snapshot/timthumb.php?src=../../../',
'/wp-content/themes/spectrum/thumb.php?src=../../../',
'/wp-content/themes/spectrum/timthumb.php?src=../../../',
'/wp-content/themes/telegraph/scripts/timthumb.php?src=../../../',
'/wp-content/themes/TheCorporation/timthumb.php?src=../../../',
'/wp-content/themes/themorningafter/thumb.php?src=../../../',
'/wp-content/themes/TheProfessional/timthumb.php?src=../../../',
'/wp-content/themes/therapy/thumb.php?src=../../../',
'/wp-content/themes/TheSource/timthumb.php?src=../../../',
'/wp-content/themes/thestation/thumb.php?src=../../../',
'/wp-content/themes/thestation/timthumb.php?src=../../../',
'/wp-content/themes/TheStyle/timthumb.php?src=../../../',
'/wp-content/themes/tma/thumb.php?src=../../../',
'/wp-content/themes/Transcript/thumb.php?src=../../../',
'/wp-content/themes/Transcript/timthumb.php?src=../../../',
'/wp-content/themes/tribune/scripts/timthumb.php?src=../../../',
'/wp-content/themes/typebased/thumb.php?src=../../../',
'/wp-content/themes/typebased/timthumb.php?src=../../../',
'/wp-content/themes/u-design/scripts/timthumb.php?src=../../../',
'/wp-content/themes/vibrantcms/thumb.php?src=../../../',
'/wp-content/themes/vulcan/timthumb.php?src=../../../',
'/wp-content/themes/watercolor/includes/timthumb.php?src=../../../',
'/wp-content/themes/waves/functions/timthumb.php?src=../../../',
'/wp-content/themes/welcome_inn/timthumb.php?src=../../../',
'/wp-content/themes/WhosWho/timthumb.php?src=../../../',
'/wp-content/themes/widescreen/includes/timthumb.php?src=../../../',
'/wp-content/themes/wootube/thumb.php?src=../../../',
'/wp-content/themes/wp-clear-prem/scripts/timthumb.php?src=../../../',
'/wp-content/themes/WPCMS2/scripts/timthumb.php?src=../../../',
'/wp-content/themes/zenko/scripts/timthumb.php?src=../../../'
);
$url = $_REQUEST['url'];
echo "<pre><strong>WordPress TimThumb Finder: Result</strong><hr>";
function status($a, $b){
echo "$a: <strong>$b</strong>\n";
}
$found = FALSE;
foreach ($payload as $uri) {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
$resp = curl_exec($ch);
$info = curl_getinfo($ch);
curl_close($ch);
if(strpos($resp, "TimThumb version") !== FALSE) {
status("url", $info['url']);
status("found", "true");
status("http_code", $info['http_code']);
$found = TRUE;
preg_match("/TimThumb version : (.*)/", $resp, $version, PREG_OFFSET_CAPTURE);
$version = $version[1][0];
$version = str_replace("</pre>", "", $version);
status("version", $version);
if(version_compare($version, "2.8.11") == -1) {
status("vulnerable", "true");
break;
} else {
status("vulnerable", "false");
}
}
}
$found == FALSE ? status("found", "false") : "";
echo "<a href='?'>Back to home</a></pre>";
} else {
?>
<pre><strong>WordPress TimThumb Finder</strong><hr>/*
* Wordpress TimThumb Finder
* Author : P4kL0nc4t
* Date : 07/01/2018
* Adapted from <a href="https://dl.packetstormsecurity.net/UNIX/scanners/wptimthumb-scanner.txt" style="color: inherit">WordPress TimThumb Finder v1.0 by Rafay Baloch (Python)</a>
*/</pre>
<form>
<label>URL: </label>
<input type="text" placeholder="http://example.com" name="url">
<button type="submit">Find!</button>
</form>
<?php
}
?>
<hr>
<pre>Copyright &copy; <strong>P4kL0nc4t</strong> <?= date("Y"); ?></pre></html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment