forked from ImageTragick/PoCs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathtest.sh
executable file
·134 lines (122 loc) · 2.84 KB
/
test.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
#! /usr/bin/env bash
DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
# test for convert and identify
type identify >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; }
type convert >/dev/null 2>&1 || { echo >&2 "I require imagemagick but it's not installed. Aborting."; exit 1; }
# Uncomment these two lines to test with a local copy of policy.xml
MAGICK_CONFIGURE_PATH=$DIR
export MAGICK_CONFIGURE_PATH
# Finding MD5 calculator
#echo "finding MD5 calculator"
for f in md5sum md5
do
MD5SUM_EXE=`which $f 2> /dev/null`
if test ${MD5SUM_EXE}; then
break
fi
done
if ! test ${MD5SUM_EXE}; then
echo >&2 "not found. Aborting."
exit 1
fi
echo "testing read"
echo "Hello World" > readme
#echo "##### convert ######"
convert read.jpg readme.png 2>/dev/null 1>/dev/null
#echo "####################"
if [ ! -e readme.png ]
then
echo "SAFE"
else
echo "UNSAFE"
rm readme.png
fi
rm readme
echo ""
echo "testing delete"
touch delme
#echo "#### identify ######"
identify delete.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e delme ]
then
echo "SAFE"
rm delme
else
echo "UNSAFE"
fi
echo ""
#random port above 16K
PORT=$(($RANDOM + 16384))
echo "testing http with local port: ${PORT}"
# silence job control messages
set -b
# setup a dummy http server
printf "HTTP/1.0 200 OK\n\n" | nc -l ${PORT} > requestheaders 2>/dev/null &
if test $? -ne 0; then
echo >&2 "failed to listen on localhost:${PORT}"
exit 1
fi
sed "s/PORT/${PORT}/g" localhost_http.jpg > localhost_http1.jpg
identify localhost_http1.jpg 2>/dev/null 1>/dev/null
rm localhost_http1.jpg
if test -s requestheaders; then
echo "UNSAFE"
else
echo "SAFE"
# terminate the dummy server
nc -z localhost ${PORT} 2>/dev/null >/dev/null
fi
rm requestheaders
set +b
echo ""
NONCE=$(echo $RANDOM | ${MD5SUM_EXE} | fold -w 8 | head -n 1)
echo "testing http with nonce: ${NONCE}"
IP=$(curl -q -s ifconfig.co)
sed "s:NONCE:${NONCE}:g" http.jpg > http1.jpg
#echo "#### identify ######"
identify http1.jpg 2>/dev/null 1>/dev/null
#echo "####################"
rm http1.jpg
if curl -q -s "http://hacker.toys/dns?query=${NONCE}.imagetragick" | grep -q $IP; then
echo "UNSAFE"
else
echo "SAFE"
fi
echo ""
echo "testing rce1"
#echo "#### identify ######"
identify rce1.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e rce1 ]
then
echo "UNSAFE"
rm rce1
else
echo "SAFE"
fi
echo ""
echo "testing rce2"
#echo "#### identify ######"
identify rce2.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e rce2 ]
then
echo "UNSAFE"
rm rce2
else
echo "SAFE"
fi
echo ""
echo "testing MSL"
#echo "#### identify ######"
identify msl.jpg 2>/dev/null 1>/dev/null
#echo "####################"
if [ -e msl.hax ]
then
echo "UNSAFE"
rm msl.hax
else
echo "SAFE"
fi
echo ""