Search for a command to run...
I tried making an app with Vibe coding. It's easy and nice, isn't it?
We have an image compression service that uses ImageMagick. The app takes an image file and a quality parameter then compresses it using magick.
Looking at the server code, there are two potential injection points:
t.Numeric(), so no direct injection thereescape() functionThe key is that \ is not in the escape list.
The escape function escapes: $'"(){}[]:;/&~|^!? \n`
The command being executed is:
magick "${inputPath}" -quality ${quality} -strip "${outputPath}"
Even though the filename is escaped, ImageMagick processes filenames in a special way. By using ImageMagick's delegate syntax with backslashes, we can inject commands.
The working payload format:
png\|echo$FLAG
What happens:
png\|echo$FLAG| to \|, but we already have a backslash so it becomes png\\|echo$FLAG| as a delegate separatorecho$FLAG executes, reading the environment variableUse ImageMagick delegate syntax with backslashes:
format\|command (e.g., png\|echo$FLAG)TSGCTF{d0llar_s1gn_1s_mag1c_1n_sh3ll_env1r0nm3nt_and_r3ad0nly_15_r3qu1r3d_f0r_c0mmand_1nj3c710n_chall3ng35}