# auto-cve-2022-44268

Automating exploitation of CVE-2022-44268 ImageMagick Arbitrary File Read

Original finding:

PoC Repository:

# Description
ImageMagick will **interpret** the "profile" text string** as a filename** and **will load the content** as a raw profile, then **the attacker can download** the resized image **which will come with the content of a remote file.**

## Vulnerability & Exploitation summary
๐Ÿ”ด Take a PNG file, add a file path to the "profile" EXIF field, send it to a website using an affected version of ImageMagick, it interprets the file path, load its content into the EXIF field, you download the image, extract the HEX data in the "Raw Profile Type" field, and convert it to ASCII to read the remote file.

Affected versions: ImageMagick 7.1.0-49 

# Requirements
sudo apt install pngcrush imagemagick exiftool exiv2 -y

# Usage
 	chmod +x
 	./ <image name> <file to read>

# Example
	./ flag.png /etc/passwd

# Demo

# Enumeration Tips
Once you get users from /etc/passwd, try to enumerate SSH private keys from /home/.ssh/<user>/ :
- id_rsa
- id_ecdsa
- id_ed25519
e.g /home/john/.ssh/id_ed25519

Don't forget :
- config files for known CMS like wp-config.php for Wordpress
- Virtual Hosts enumeration like /etc/apache2/sites-available/000-default.conf,
- or .env files for instances

### Tags
imagemagick, exploit, vuln, magick convert, magick resize, exploitation, vulnerabilities, file read, CVE-2022-44268