How I found Command Injection via Obsolete PHPThumb
Hello Readers, after a great response to my previous write-up on Account Takeover Chained to Host Header Injection. I would like to thank each and everyone for appreciating for showing their gratitude and also for those who found this helpful in their hunting journey. I would like to share another P1 vulnerability that is “Command Injection via Obsolete PHPThumb”.
As usual, I was hunting on some private programs I was just doing all the recon process and in one of the endpoints I ran Dirbuster and after several checks, I noticed some error in the application which was known to me so I quickly checked on google what exactly was the error and is that vulnerable or not so that I can exploit further.
Before starting with the exploitation let us understand what exactly is PHPThumb and its vulnerability?
phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. The output size is configurable (can be larger or smaller than the source), and the source may be the entire image or only a portion of the original image. True color and resampling are used if GD v2.0+ is available, otherwise, paletted-color and nearest-neighbor resizing are used. ImageMagick is used wherever possible for speed. Basic functionality is available even if GD functions are not installed (as long as ImageMagick is installed).
Multiple vendor applications utilize phpThumb(). phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. phpThumb() versions 1.7.9 and below are vulnerable to a command injection vulnerability that allows an attacker to execute arbitrary shell commands.
A command injection vulnerability exists in a PHPThumb phpThumb fltr parameter. A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the phpThumb web page. Successful exploitation will result in arbitrary command execution.
Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.
Successful exploitation requires ’ImageMagick’ to be installed.
This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.
Steps To Reproduce:
Step 1: After recon process I landed to a endpoint where application was throwing some errors.
Step 2: Then after checking the error on google it was found that the application was vulnerable to Command Injection.
Step 3: After checking several github and exploitdb I finally found the useful payload for this vulnerability.
Payload: “$target/phpThumb.php?src=file.jpg&fltr=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; uname -a ; &phpThumbDebug=9”
Step 4: I used those payload and I got the exact response which I was expecting. Command Injection was triggered to the application.
Step 5: Trying to change the Payload and checking the response.
Upgrade to the latest version of phpThumb.