Menu
I remember seeing an exploit for an image uploading function, which consisted of hiding malicious php code inside a tiff image.
I'm making my own image uploading script, and I assume I'll have to protect myself from this possibility. Except, that I have no idea how it would work. Does anyone know how a php shell hidden inside an image would execute itself? Would it need to be loaded in a certain way?
Thanks.
919
PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.
Code Injection/Execution In the case of PHP code injection attacks, an attacker takes advantage of a script that contains system functions/calls to read or execute malicious code on a remote server. This is synonymous to having a backdoor shell and under certain circumstances can also enable privilege escalation.
The CLI SAPI provides an interactive shell using the -a option if PHP is compiled with the --with-readline option. As of PHP 7.1. 0 the interactive shell is also available on Windows, if the readline extension is enabled. Using the interactive shell you are able to type PHP code and have it executed directly.
PHP Shell is a shell wrapped in a PHP script. It's a tool you can use to execute arbitrary shell-commands or browse the filesystem on your remote webserver. This replaces, to a degree, a normal telnet connection, and to a lesser degree a SSH connection.
Re encoding the image will not stop someone from uploading a shell. The only sure way to prevent it is to re-encode and scan the image for the presence of php tags.
For an example of a PHP PNG shell that will survive re-encoding
155
There are some methods to protect yourself from such tricks. Check them out here
Also read this article which explains the attack and ways to tackle it.
The main point stressed in these is the use of basename function of php to defer such attacks.
23
I know there's a way (or was) a way to save a php file as a .gif and have it run the code. In an exploit I saw on the download page the mime type was set as a GIF and the the image was loaded with something to the effect of: require('myimage.gif'); When myimage.gif was actually a PHP file renamed as .gif, including the file would execute the php payload, otherwise the file was just a normal gif. I saw this exploit for an upload script, the hacker also hex edited myimage.gif so that the bytes 47 49 46 38 39 preceded the rest of the file. Those bytes are a GIF header and would trick PHP into thinking the file was a GIF allowing the PHP file to be uploaded bypassing the 'advance' file type checking. This could easily be fixed by building better file checking that made sure the entire file was legit. The easiest way I can think of would be to try to load the image with GD and see if it has an error. I don't think GD would execute the PHP payload but I'm not sure, you would have to test. I assume nearly the same exploit was done or could be done for a tiff or any file type.
In order to make sure your script is not exploited I would take these steps.
1) Set a few file types that you can do Array('.png', '.jpg', '.txt', 'etc') if its not in the array DO NOT allow it. Even if you disallow .php, there's still .php3, .php5 etc that work on some servers.
2) Gaard against myimage.php.gif by saving the uploaded file to a md5 (or a rand name) of the file name (with the exclusion of the file type) so myimage.php.gif would become ef0ca703846cdb7a0131ac2889304a27.gif
3) Check integrity of file, make sure both the header and the rest of the file is legit.
4) Do not use require('myimage.gif'); instead print it's content
40
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
