webPromedium

Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)

hackadvisor

Task: Content publishing platform with server-side image processing using ImageMagick 6.9.10-23 with misconfigured policy.xml allowing vulnerable delegates. Solution: exploit ImageTragick (CVE-2016-3714) via MVG file with shell metacharacter injection in url() directive to read /root/flag.txt and write it to a web-accessible path.

$ ls tags/ techniques/

command_injection imagemagick mvg rce php file_upload nginx imagetragick cve_2016_3714 delegate_injection

imagetragick_delegate_command_injectionmvg_url_directive_shell_injectionimagemagick_format_autodetection_bypassblind_command_injection_file_exfiltrationhoneypot_decoy_flag_recognition

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 161 — PageForge — Path Traversal via Mixed Slash Filter Bypass— hackadvisor
[web][Pro]PageForge— hackadvisor
[web][Pro]Lab 254 — PageForge — ZIP Upload File Type Bypass to RCE— hackadvisor
[web][Pro]Lab 25 — DocuForge — RCE via Dompdf Font Cache Exploitation— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor