Php File Upload Check Extension and Rename

Six files that are also a valid PHP

Six files that are also a valid PHP and a Haskell GIF that is as well a Python-Python-Python. The challenge was inspired past the PoC||GTFO Journal's thought of a polyglot file. The idea of having ane file that has two formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected blazon of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible's possible" listing.

And a GIF that is as well a Python

That history begins with me trying to brand a GIF that is besides a valid Haskell, all that for a CTF challenge. Although was a hurting in the ass to kill this challenge, the idea of having one file that has ii format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they honey the idea of a polyglot file, one of their problems is a PDF/Zip and NES ROM , so I started with the simplest — and probably the simply 1 that is useful — file format : PHP. Why is the simplest? Because you can state where the code starts with <? and where it ends with ?> , with that I tin can put the PHP code anywhere in the file.

I already knew something about GIF, then let'southward start with it. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a great identify to beginning :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

Every bit explained in the weblog post, that makes a 1x1 black gif and information technology should break because information technology doesn't have the Global Color Table, but it works because the readers does not follow the specification at risk. Now I want to put my PHP string somewhere in there. Reading the GIF89a Specification I've found the Annotate Extension which allow us to put a comment in the GIF at the finish of the file. Something like that :

                              seven 6 5 4 three ii 1 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   ane  |      0xFE     |       Annotate Label                 Byte      +---------------+       +===============+      |    <?         |   Due north  |    phpinfo(); |       Annotate Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

Then now nosotros can append our PHP code as a annotate in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Iron 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the finish. Also GIF makes easy for us having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO let's play with PDF. The plan still the same, get the simplest PDF possible and endeavor to append a comment.

I had a problem with the offset part of the program, I apply OS 10 and his PDF reader is restrict as fuck, almost every simple PDF that I've establish in the internet has some mistake for the Os X'south reader. The merely one that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  ix 0 obj << >> stream BT/ 9 Tf(Examination)' ET endstream endobj 4 0 obj << /Type /Page /Parent five 0 R /Contents 9 0 R >> endobj v 0 obj << /Kids [4 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 9 ] >> endobj 3 0 obj << /Pages five 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

Information technology has a lot of parts that isn't required for other readers, like the Chrome'south reader, and it should be really smaller but it doesn't matter. PDF is much simpler, like any plan language it has a code for comments which is % , so just put that after any line and append the PHP code .

              %PDF-1.ii %<?phpinfo()?> ...            

Simplest approach

Surfing in the Web I've found something really beautiful , a repository with a huge list with the "Smallest possible […] file", and then I started to try suspend PHP to some of that files.

As it turns out, well-nigh of the files has a EOF of some kind to state that the file has ended, and nigh readers just ignores annihilation that is put after that EOF. Hither is four examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 nineteen 40 CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 xl CD 80 00 twoscore CD eighty 4C 00 00 00 4C 00 00 00 05 00 00 00 00 x 00 00 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀50���50���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 xviii C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D xi 0D 0E 0F 10 10 11 x 0A 0C 12 13 12 x 13 0F 10 10 10 FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 x 10 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF twenty FF D9 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is actually old, but everyone just put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 eighteen 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is also a valid Python. None of the above "techniques" works considering you can't but say to Python Interpreter where to starting time to run the lawmaking like PHP. Let'due south take some other expect at some other GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Let's try a error based assay, what is the fault that this file gives when run every bit a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax fault at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader just require that the version is 89 or 87 ignoring the "a" part, and so we tin supercede the "a" with a "=" and land that "GIF89" is a variable, that should be a squeamish commencement. Permit'southward run over again.

              $ python tinytrans.gif   File "tinytrans.gif", line one     GIF89=           ^ SyntaxError: invalid syntax            

Over again , equally expected. The first thought that I take was to just annotate the gibberish part of the GIF and put a comment, just like at the PHP+GIF, that is a valid python and it was going to be fine. Simply in the middle of the gibberish information technology has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[email protected][email protected]$!(@#@!_#)[email protected][e-mail protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable proclamation using the '\' and in the middle of it simply commenting the Non-ASCII, subsequently that appending the '!þ' to offset a GIF comment, jumping to some other line and putting the actual code, following by the EOF'south semicolon, which is also valid in Python.

But trying to brand a annotate in a multi-line variable declaration was but impossible, merely making that within a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Atomic number 26 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������Fifty�!þ __import__('os').organisation('ls'));            

Annotation that the interpreter volition just ignore the line that starts with a Non-ASCII grapheme, which is odd, so we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

hamiltonlather.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post