Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)

hackadvisor

Task: Content publishing platform with server-side image processing using ImageMagick 6.9.10-23 with misconfigured policy.xml allowing vulnerable delegates. Solution: exploit ImageTragick (CVE-2016-3714) via MVG file with shell metacharacter injection in url() directive to read /root/flag.txt and write it to a web-accessible path.