forked from ImageTragick/PoCs
-
-
Notifications
You must be signed in to change notification settings - Fork 0
/
test.sh
executable file
·119 lines (108 loc) · 2.57 KB
/
test.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#! /usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# test for convert and identify
type identify >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; }
type convert >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; }
# Uncomment these two lines to test with a local copy of policy.xml
MAGICK_CONFIGURE_PATH=$DIR
export MAGICK_CONFIGURE_PATH
echo "testing read"
echo "Hello World" > readme
#echo "##### convert ######"
convert read.jpg readme.png 2>/dev/null 1>/dev/null
#echo "####################"
if [ ! -e readme.png ]
then
echo "SAFE"
else
echo "UNSAFE"
rm readme.png
fi
rm readme
echo ""
echo "testing delete"
touch delme
#echo "#### identify ######"
identify delete.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e delme ]
then
echo "SAFE"
rm delme
else
echo "UNSAFE"
fi
echo ""
#random port above 16K
PORT=$(($RANDOM + 16384))
echo "testing http with local port: ${PORT}"
# silence job control messages
set -b
# setup a dummy http server
printf \"HTTP/1.0 200 OK\n\n\" | nc -l ${PORT} > requestheaders 2>/dev/null &
if test $? -ne 0; then
echo >&2 "failed to listen on localhost:${PORT}"
exit 1
fi
sed "s/PORT/${PORT}/g" localhost_http.jpg > localhost_http1.jpg
identify localhost_http1.jpg 2>/dev/null 1>/dev/null
rm localhost_http1.jpg
if test -s requestheaders; then
echo "UNSAFE"
else
echo "SAFE"
echo | nc localhost ${PORT} 2>/dev/null 1>/dev/null
fi
rm requestheaders
set +b
echo ""
NONCE=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)
echo "testing http with nonce: ${NONCE}"
IP=$(curl -q -s ifconfig.co)
sed "s/NONCE/${NONCE}/g" http.jpg > http1.jpg
#echo "#### identify ######"
identify http1.jpg 2>/dev/null 1>/dev/null
#echo "####################"
rm http1.jpg
if curl -q -s "http://hacker.toys/dns?query=${NONCE}.imagetragick" | grep -q $IP; then
echo "UNSAFE"
else
echo "SAFE"
fi
echo ""
echo "testing rce1"
#echo "#### identify ######"
identify rce1.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e rce1 ]
then
echo "UNSAFE"
rm rce1
else
echo "SAFE"
fi
echo ""
echo "testing rce2"
#echo "#### identify ######"
identify rce2.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e rce2 ]
then
echo "UNSAFE"
rm rce2
else
echo "SAFE"
fi
echo ""
echo "testing MSL"
#echo "#### identify ######"
identify msl.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e msl.hax ]
then
echo "UNSAFE"
rm msl.hax
else
echo "SAFE"
fi
echo ""