Juq-191

Juq‑191 – A Thoroughly Impressive Piece of Gear

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

4. Exploiting the Command Injection

4.1. Understanding the Injection Surface

$dest is derived from a random uniqid() plus a hard‑coded .jpg. However, the original filename is not used, so we cannot directly inject via the filename. juq-191

8. Mitigations & Lessons Learned

| Issue | Description | Recommended Fix | |-------|-------------|-----------------| | ImageMagick command injection (ImageTragick) | The convert command processes attacker‑controlled EXIF data, enabling arbitrary command execution. | Upgrade ImageMagick to ≥ 7.0.8‑31 (or any version that disables policy.xml‑based delegate execution). Add a policy file that disables shell and pipeline delegates:
<policy domain="delegate" rights="none" pattern="*" /> | | Unsanitised exec() | Direct concatenation of user‑controlled $dest into a shell command without escaping. | Use PHP’s ` Juq‑191 – A Thoroughly Impressive Piece of Gear