Javascript required
Skip to content Skip to sidebar Skip to footer
Home / Where to Upload Php Files on the Server

Where to Upload Php Files on the Server

Six files that are also a valid PHP

Six files that are also a valid PHP and a Haskell GIF that is also a Python-Python-Python. The challenge was inspired past the PoC||GTFO Journal'south idea of a polyglot file. The idea of having i file that has 2 formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible's possible" list.

image

Caio Lüders HackerNoon profile picture

And a GIF that is also a Python

That history begins with me trying to make a GIF that is also a valid Haskell, all that for a CTF claiming. Although was a pain in the ass to impale this challenge, the thought of having ane file that has two format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they dearest the idea of a polyglot file, one of their issues is a PDF/Nada and NES ROM , so I started with the simplest — and probably the but one that is useful — file format : PHP. Why is the simplest? Because you can land where the lawmaking starts with <? and where information technology ends with ?> , with that I can put the PHP code anywhere in the file.

I already knew something about GIF, so let's start with information technology. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a peachy place to first :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            
              ASCII : GIF89a���ÿ�,��������;

As explained in the blog post, that makes a 1x1 black gif and it should suspension because it doesn't have the Global Color Table, but it works because the readers does not follow the specification at risk. At present I want to put my PHP cord somewhere in at that place. Reading the GIF89a Specification I've found the Comment Extension which allow u.s. to put a annotate in the GIF at the finish of the file. Something like that :

                              7 6 5 four 3 2 1 0        Field Proper name                    Blazon      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   one  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   N  |    phpinfo(); |       Comment Information            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+

Then now we tin can suspend our PHP code every bit a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Atomic number 26 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();

Note that !þ = 0x21 0xFE , and PHP doesn't crave the ?> at the end. Besides GIF makes piece of cake for united states of america having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO let's play with PDF. The plan yet the same, get the simplest PDF possible and try to append a annotate.

I had a problem with the first office of the plan, I employ OS X and his PDF reader is restrict as fuck, most every simple PDF that I've found in the internet has some error for the Bone Ten's reader. The merely one that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  9 0 obj << >> stream BT/ ix Tf(Test)' ET endstream endobj 4 0 obj << /Type /Page /Parent 5 0 R /Contents 9 0 R >> endobj 5 0 obj << /Kids [4 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 nine ] >> endobj 3 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root three 0 R >> %%EOF

Information technology has a lot of parts that isn't required for other readers, like the Chrome's reader, and it should be really smaller but it doesn't affair. PDF is much simpler, like whatsoever programme language it has a code for comments which is % , and then just put that after any line and append the PHP lawmaking .

              %PDF-ane.2 %<?phpinfo()?> ...

Simplest approach

Surfing in the WEB I've establish something really beautiful , a repository with a huge list with the "Smallest possible […] file", and so I started to try append PHP to some of that files.

Equally it turns out, most of the files has a EOF of some kind to state that the file has ended, and most readers just ignores anything that is put after that EOF. Hither is 4 examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 nineteen 40 CD fourscore 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 xx 00 01 00 00 00 00 00 00 00 00 40 CD 80 00 xl CD eighty 4C 00 00 00 4C 00 00 00 05 00 00 00 00 10 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀L���50���������<?phpinfo();?>

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F 10 10 11 x 0A 0C 12 thirteen 12 10 13 0F ten 10 10 FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 10 ten 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          
                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>

Suspend PHP to JPEG is actually onetime, but everyone simply put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F 70 68 lxx 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>

Bonus round :

After that finding I started playing with something more than hardcore. A GIF that is likewise a valid Python. None of the higher up "techniques" works considering y'all can't just say to Python Interpreter where to start to run the code like PHP. Allow'south take some other expect at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 fourscore 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������Fifty�;

Let's try a error based assay, what is the mistake that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax

It throws a syntax fault at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader just require that the version is 89 or 87 ignoring the "a" part, so we tin can replace the "a" with a "=" and state that "GIF89" is a variable, that should be a overnice commencement. Let'southward run again.

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89=           ^ SyntaxError: invalid syntax

Once again , every bit expected. The first idea that I take was to just annotate the gibberish part of the GIF and put a comment, just similar at the PHP+GIF, that is a valid python and information technology was going to be fine. But in the center of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[electronic mail protected][email protected]$!(@#@!_#)[email protected][e-mail protected]!þ\ __import__('os').organisation('ls');

That is, a multi-line variable declaration using the '\' and in the middle of information technology just commenting the Non-ASCII, afterwards that appending the '!þ' to kickoff a GIF comment, jumping to some other line and putting the actual code, following by the EOF'south semicolon, which is also valid in Python.

Only trying to make a comment in a multi-line variable declaration was just incommunicable, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 fourscore 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 FE 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������50�!þ __import__('os').organization('ls'));

Note that the interpreter volition just ignore the line that starts with a Non-ASCII character, which is odd, so we don't demand the # . And Running :

              $ python python.gif fustigate.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

maumpuntrialmoor.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8