漏洞平台

POC详情： 4e3233c5f815a10d345cf0c61d13a84faf1c6a38

来源

https://github.com/adhikara13/CVE-2022-44268-MagiLeak

关联漏洞

标题： ImageMagick 安全漏洞 (CVE-2022-44268)
描述：ImageMagick是美国ImageMagick公司的一套开源的图像处理软件。该软件可读取、转换或写入多种格式的图片。 ImageMagick 7.1.0-49版本存在安全漏洞，该漏洞源于存在信息泄露漏洞，当它在解析PNG图像时生成的图像可能会嵌入任意文件内容。

描述

Tools for working with ImageMagick to handle arbitrary file read vulnerabilities. Generate, read, and apply profile information to PNG files using a command-line interface.

介绍

# ImageMagick Arbitrary Read Files - CVE-2022-44268

This repository contains a proof-of-concept (PoC) code for exploiting the arbitrary file read vulnerability (CVE-2022-44268) in ImageMagick. The PoC demonstrates how an attacker can leverage the vulnerability to read arbitrary files on the system.

## Prerequisites

To run the code, ensure that you have the following dependencies installed:

- Python 3.x
- Pillow (Python Imaging Library)

You can install the necessary dependencies using `pip`:

```
pip install pillow
```

## Usage

The PoC code provides three main functionalities: generate, read, and apply.

### Generate

Generate a PoC PNG file with embedded profile information.

```
python3 magileak.py generate -l [local_file] -o [output_file]
```

- `[local_file]`: Path to the local file that we want to extract.
- `[output_file]`: Path to the output PNG file.

### Read

Read and decode the profile type from a PNG file.

```
python3 magileak.py read -i [input_file]
```

- `[input_file]`: Path to the input PNG file.

### Apply

Apply profile information to a PNG file.

```
python3 magileak.py apply -i [input_file] -l [local_file]
```

- `[input_file]`: Path to the input PNG file.
- `[local_file]`: Path to the local file that we want to extract.

## Disclaimer

This code is provided for educational and demonstration purposes only. Use it responsibly and at your own risk. The author and contributors of this repository are not responsible for any misuse or damage caused by this code.

## References

- CVE-2022-44268: [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44268](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44268)
- ImageMagick: [https://imagemagick.org/](https://imagemagick.org/)
- Sybil-Scan [https://github.com/Sybil-Scan/imagemagick-lfi-poc/tree/main](https://github.com/Sybil-Scan/imagemagick-lfi-poc/tree/main)

文件快照


 [4.0K]  /data/pocs/4e3233c5f815a10d345cf0c61d13a84faf1c6a38
├── [6.9K]  LICENSE
├── [ 26M]  magick
├── [4.1K]  magileak.py
└── [1.8K]  README.md

0 directories, 4 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。