webPromedium

Lab 39 — PixelVault — RCE via ImageMagick Filename Command Injection

hackadvisor

Task: Image hosting platform with custom_filename field passed to ImageMagick shell command inside double quotes, protected by escapeshellcmd(). Solution: Backtick command injection in custom_filename bypasses escapeshellcmd() inside double-quoted context, executing cp to copy /root/flag.txt to web-accessible uploads directory.

$ ls tags/ techniques/

command_injection imagemagick php file_upload nginx decoy_flag thumbnail_generation escapeshellcmd backtick_injection custom_filename

decoy_flag_avoidancebacktick_command_substitution_in_double_quotesescapeshellcmd_bypassimagemagick_fx_option_injectionfile_copy_to_webroot

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 324 — ImageMagick RCE (PixelForge)— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
[web][Pro]Lab 49 — PixelVault — Stored XSS via Malicious SVG Upload— hackadvisor
[web][Pro]Lab 343 — FrameCast — RCE via Ghostscript EPS Processing in Thumbnail Import— hackadvisor
[web][Pro]Lab 94 — MediaForge — ImageMagick Command Injection via File Upload (ImageTragick)— hackadvisor