Javascript required
Skip to content Skip to sidebar Skip to footer

Upload Files to Remote Server and Show It With Php

6 files that are likewise a valid PHP

image

Caio Lüders HackerNoon profile picture

And a GIF that is besides a Python

That history begins with me trying to make a GIF that is also a valid Haskell, all that for a CTF challenge. Although was a pain in the ass to kill this claiming, the idea of having one file that has two format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they love the idea of a polyglot file, i of their issues is a PDF/Zip and NES ROM , so I started with the simplest — and probably the only 1 that is useful — file format : PHP. Why is the simplest? Because you tin land where the code starts with <? and where it ends with ?> , with that I can put the PHP code anywhere in the file.

I already knew something about GIF, so let's outset with it. Having in heed that the content of the GIF is worthless to us the tiniest GIF possible is a great place to start :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            
              ASCII : GIF89a���ÿ�,��������;            

Every bit explained in the weblog mail service, that makes a 1x1 black gif and it should break because it doesn't have the Global Color Table, simply it works because the readers does non follow the specification at risk. Now I want to put my PHP string somewhere in there. Reading the GIF89a Specification I've institute the Comment Extension which allow u.s. to put a comment in the GIF at the end of the file. Something like that :

                              seven 6 v 4 3 2 1 0        Field Proper name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   i  |      0xFE     |       Annotate Characterization                 Byte      +---------------+       +===============+      |    <?         |   Due north  |    phpinfo(); |       Comment Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

So now we can append our PHP code as a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Iron 3C 3F 70 68 70 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Annotation that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. As well GIF makes piece of cake for u.s. having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO permit'south play with PDF. The plan still the aforementioned, get the simplest PDF possible and attempt to suspend a comment.

I had a problem with the first part of the plan, I utilise OS X and his PDF reader is restrict every bit fuck, near every unproblematic PDF that I've found in the internet has some mistake for the OS X's reader. The only one that is all in ASCII and worked for me was this 1: https://stackoverflow.com/a/32142316

              %PDF-1.two  9 0 obj << >> stream BT/ 9 Tf(Examination)' ET endstream endobj 4 0 obj << /Type /Folio /Parent v 0 R /Contents 9 0 R >> endobj 5 0 obj << /Kids [4 0 R ] /Count one /Type /Pages /MediaBox [ 0 0 99 nine ] >> endobj 3 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, like the Chrome'southward reader, and it should be really smaller merely it doesn't thing. PDF is much simpler, like whatsoever plan linguistic communication it has a code for comments which is % , so just put that after any line and append the PHP code .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the Spider web I've institute something really beautiful , a repository with a huge list with the "Smallest possible […] file", so I started to effort suspend PHP to some of that files.

As it turns out, most of the files has a EOF of some kind to land that the file has concluded, and most readers but ignores anything that is put later on that EOF. Here is 4 examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 twoscore CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 xl CD 80 00 twoscore CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������iv� ���������@̀�@̀L���L���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D eleven 0D 0E 0F 10 10 11 10 0A 0C 12 13 12 10 13 0F 10 ten 10 FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 10 x 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          
                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really onetime, only everyone just put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus circular :

After that finding I started playing with something more hardcore. A GIF that is too a valid Python. None of the above "techniques" works because y'all can't just say to Python Interpreter where to first to run the lawmaking like PHP. Let'due south take another wait at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Let's endeavour a fault based analysis, what is the error that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax error at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader only require that the version is 89 or 87 ignoring the "a" part, so we can replace the "a" with a "=" and state that "GIF89" is a variable, that should be a nice start. Allow's run again.

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89=           ^ SyntaxError: invalid syntax            

Again , as expected. The commencement thought that I have was to just comment the gibberish part of the GIF and put a comment, merely like at the PHP+GIF, that is a valid python and it was going to be fine. Merely in the middle of the gibberish information technology has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to brand something like this :

              GIF89=\ #[electronic mail protected][email protected]$!(@#@!_#)[email protected][electronic mail protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable proclamation using the '\' and in the centre of it merely commenting the Non-ASCII, after that appending the '!þ' to start a GIF comment, jumping to another line and putting the actual lawmaking, following by the EOF's semicolon, which is likewise valid in Python.

Just trying to make a comment in a multi-line variable declaration was just impossible, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New endeavour :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Fe 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������Fifty�!þ __import__('os').system('ls'));            

Notation that the interpreter will just ignore the line that starts with a Not-ASCII grapheme, which is odd, so we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

braundcaliall76.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8