How I found Command Injection via Obsolete PHPThumb

Hello Readers, after a great response to my previous write-up on Account Takeover Chained to Host Header Injection. I would like to thank each and everyone for appreciating for showing their gratitude and also for those who found this helpful in their hunting journey. I would like to share another P1 vulnerability that is “Command Injection via Obsolete PHPThumb.

As usual, I was hunting on some private programs I was just doing all the recon process and in one of the endpoints I ran Dirbuster and after several checks, I noticed some error in the application which was known to me so I quickly checked on google what exactly was the error and is that vulnerable or not so that I can exploit further.

Before starting with the exploitation let us understand what exactly is PHPThumb and its vulnerability?

phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. The output size is configurable (can be larger or smaller than the source), and the source may be the entire image or only a portion of the original image. True color and resampling are used if GD v2.0+ is available, otherwise, paletted-color and nearest-neighbor resizing are used. ImageMagick is used wherever possible for speed. Basic functionality is available even if GD functions are not installed (as long as ImageMagick is installed).

Multiple vendor applications utilize phpThumb(). phpThumb() uses the GD library to create thumbnails from images (JPEG, PNG, GIF, BMP, etc) on the fly. phpThumb() versions 1.7.9 and below are vulnerable to a command injection vulnerability that allows an attacker to execute arbitrary shell commands.

A command injection vulnerability exists in a PHPThumb phpThumb fltr parameter. A remote, authenticated attacker can exploit this vulnerability by sending crafted requests to the phpThumb web page. Successful exploitation will result in arbitrary command execution.


Attackers can exploit this issue to execute arbitrary commands in the context of the webserver.

Successful exploitation requires ’ImageMagick’ to be installed.

This vulnerability does not affect the phpThumb that is included in the MODx Revolution distribution.

Steps To Reproduce:

Step 1: After recon process I landed to a endpoint where application was throwing some errors.

Error Page

Step 2: Then after checking the error on google it was found that the application was vulnerable to Command Injection.

Step 3: After checking several github and exploitdb I finally found the useful payload for this vulnerability.

Payload: “$target/phpThumb.php?src=file.jpg&fltr[]=blur|9 -quality 75 -interlace line fail.jpg jpeg:fail.jpg ; uname -a ; &phpThumbDebug=9”

Step 4: I used those payload and I got the exact response which I was expecting. Command Injection was triggered to the application.

uname -a

Step 5: Trying to change the Payload and checking the response.

ls -la
cat etc/passwd


Upgrade to the latest version of phpThumb.

You can Connect with me :-

Twitter :-
Linkedin :-
Facebook :-

Kindly Give a Clap if you found this helpful and came across this kinda scenario.

|Security Research| Bug Hunter| Bugcrowd| Hackerone| CTF Player |BlackHat🎩| CEH| CCNA| CCNP|MCSC|

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing peaq ID | Self-Sovereign Identity for Machines

Introducing peaq ID

Why Operational Technology is Vital to National Security

Challenges and solutions of global equipment manufacturers on DoS attacks

Honeypot | Hack Solidity #10

B.Protocol Bug Bounty Extension — Pickle Integration

Why Is It Scary to “just let” Your Developers Into the Cloud?

Eager Electron 5.2 — iOS — Release Notes

Insight into Cryptography

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Sushant Kamble

Sushant Kamble

|Security Research| Bug Hunter| Bugcrowd| Hackerone| CTF Player |BlackHat🎩| CEH| CCNA| CCNP|MCSC|

More from Medium

Hunting for Bugs in File Upload Feature:



Hacking into Admin Panel of U.S Federal government system : C.A.R.S -without credentials.