How to Exploit ImageTragick in vBulletin using BurpSuite and Metasploit
A vulnerability was found in Imagemagick where insufficient filtering for filenames passed to a delegate's command allows remote code execution during the conversion of several file formats.
Imagemagick allows the processing of files with external libraries. This feature is called "delegate". It is implemented as a system() call with a command string ('command') from the config file delegates.xml with actual values for different parameters (input/output/filename, etc.). Because the %M parameter is insufficiently filtered, it is possible to inject shell commands. One of the default delegate commands uses the following to handle HTTPS requests:
"wget" -q -O "%o" "https:%M"
where %M is the actual link from the input. If wget or curl are installed, it is possible to pass the value "https://example.com" |ls "-la" and unexpectedly execute 'ls -la'.