> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-17/vulnerability-exploitation/trick-0140/web-vulnerability-exploitation-imagemagick.md).

# Imagemagick

## ImageMagick CVE-2022-44268 File Read

Craft a malicious PNG file that embeds the content of a target file using a tool based on a PoC for CVE-2022-44268. This tool generates a PNG file that will read the content of the specified file when processed by a vulnerable ImageMagick version. This often involves running a command like:

```bash
cargo run <file_to_read>
```

Upload the generated image to a web application or service that uses a vulnerable version of ImageMagick, such as 7.1.0-49 or similar impacted versions, to process images. After processing, download the resulting image. Use the `identify -verbose` command on the processed image to display its metadata. The output of this command will contain detailed information about the image, including potentially embedded data within sections like `RawProfile-icc`. Look for a block of hexadecimal data within this section which represents the embedded file content.

```bash
identify -verbose processed_image.png
```

Extract the hexadecimal data block from the output and decode it to retrieve the original file content. To automatically extract and decode this specific block from the `RawProfile-icc` line, you can pipe the output of `identify -verbose` through a command chain.

```bash
identify -verbose processed_image.png | grep RawProfile-icc | cut -d ':' -f 2 | xxd -r -p
```

This command filters the output for the `RawProfile-icc` line, extracts the hexadecimal data field by using ':' as a delimiter and taking the second field, and then decodes the resulting hex string into its original binary or text form using `xxd -r -p`.
