Exploit with upload image function...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Exploit with upload image function...

Post by Mate »

Code: Select all

$max_image_size_b = $config['site']['guild_image_size_kb'] * 1024;
$allowed_ext = array('image/gif', 'image/jpg', 'image/pjpeg', 'image/jpeg', 'image/bmp', 'image/png', 'image/x-png');
$ext_name = array('image/gif' => 'gif', 'image/jpg' => 'jpg', 'image/jpeg' => 'jpg', 'image/pjpeg' => 'jpg', 'image/bmp' => 'bmp', 'image/png' => 'png', 'image/x-png' => 'png');
$save_file_name = str_replace(' ', '_', strtolower($guild->getName()));
$save_path = 'guilds/'.$save_file_name;
if($_REQUEST['todo'] == 'save') {
$file = $_FILES['newlogo'];
if(is_uploaded_file($file['tmp_name'])) {
if($file['size'] > $max_image_size_b) {
$upload_errors[] = 'Uploaded image is too big. Size: <b>'.$file['size'].' bytes</b>, Max. size: <b>'.$max_image_size_b.' bytes</b>.';
}
$type = strtolower($file['type']);
if(!in_array($type, $allowed_ext)) {
$upload_errors[] = 'Your file type isn\' allowed. Allowed: <b>gif, jpg, bmp, png</b>. Your file type: <b>'.$type.'</b> If it\'s image contact with admin.';
}
}
else
{
$upload_errors[] = 'You didn\'t send file or file is too big. Limit: <b>'.$config['site']['guild_image_size_kb'].' KB</b>.';
}
if(empty($upload_errors)) {
$extension = $ext_name[$type];
if(!move_uploaded_file($file['tmp_name'], $save_path.'.'.$extension)) {
$upload_errors[] = 'Sorry! Can\'t save your image.';
}
}
if(empty($upload_errors)) {
$guild_logo = $guild->getCustomField('logo_gfx_name');
if(empty($guild_logo) || !file_exists("guilds/".$guild_logo)) {
$guild_logo = "default_logo.gif";
}
if($guild_logo != "default_logo.gif" && $guild_logo != $save_file_name.'.'.$extension) {
unlink('guilds/'.$guild_logo);
}
}
Does any1 have got idea how the hacker could upload exploit .. ?
I tried with temper data and changing application stream for image/jpg but after it has been uploaded it's name has been changed to something.jpg instead of something.php so i couldn't execute it (the php code was in something.jpg file )
(when i opened it was just a link to that file )

Any help will be appreciated...
Last edited by Benjamin on Mon Feb 22, 2010 10:41 pm, edited 1 time in total.
Reason: Changed code type from text to php.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Exploit with upload image function...

Post by josh »

You can put PHP code in a file named something.jpg and then include it anyways. It can even still be a valid jpg and look like a regular picture. PHP would see the binary jpeg bits in the same way it treats regular text or markup

(valid jpeg data here)
<?php
echo 'some ascii data that happens to execute as php';


Its called a polyglot! http://en.wikipedia.org/wiki/Polyglot_%28computing%29

But that is not how you probably got hacked (most likely). Most likely it was something else you overlooked. My example just goes to show your assumptions were wrong.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Exploit with upload image function...

Post by kaisellgren »

You don't show us the code for

Code: Select all

$guild->getName()
and the line 23 is vulnerable to file-name truncation and traversal attacks.

If

Code: Select all

$guild->getCustomField('logo_gfx_name');
comes from the client, you are vulnerable to arbitrary file deletion.
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

Code: Select all

   public function getName()
    {
        if( !isset($this->data['name']) )
        {
            throw new E_OTS_NotLoaded();
        }
 
        return $this->data['name'];
    }
i'm 100 % sure that this function is not vulnerable.
how can i reproduce how did he upload an exploit?
Site is not vulnerable to traversal attacks...
Last edited by Benjamin on Mon Feb 22, 2010 10:41 pm, edited 1 time in total.
Reason: Changed code type from text to php.
User avatar
Darhazer
DevNet Resident
Posts: 1011
Joined: Thu May 14, 2009 3:00 pm
Location: HellCity, Bulgaria

Re: Exploit with upload image function...

Post by Darhazer »

The upload can be only a part from the exploit. If user uploads a PHP file, renamed to .jpg, and than exploits a remote file inclusion, the PHP code is executed.
So, never trust the $_FILES['...']['type'] :)
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

How an potential attacker can exploits remote file inclusion ?
I tried many ways and couldn't find how ...
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

Ok i might know the trick but i'm not sure if it is possible ...
So The hacker uploads an image file in .jpg format with the image + exploit(exploits is somewhere near meta of image or sth like that...).
Is it possible ?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Exploit with upload image function...

Post by kaisellgren »

Mate wrote:Ok i might know the trick but i'm not sure if it is possible ...
So The hacker uploads an image file in .jpg format with the image + exploit(exploits is somewhere near meta of image or sth like that...).
Is it possible ?
You can certainly place PHP, JS or any other code within image meta data or just append it to the image data. If this image is ever going to be parsed, you are in trouble.
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

After testing:
Up i don't think so that it will be parsed because the script is changing type of file to something.jpg/gif nevermind what file i am sending (but it must be saved as .PHP to execute the code)
and no when jpges are executed as .jpg php code cannot be executed on my server.
Just tested it fully...
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

If your PHP code is vulnerable to LFI, then you are in trouble ;)
There are 10 types of people in this world, those who understand binary and those who don't
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Exploit with upload image function...

Post by kaisellgren »

Not a long ago I fixed a software that allowed a user to upload files. I was able to upload a .htaccess file, thus, I could make JPG/PNG/GIF/wtvr to be parsed by PHP. Just another route to the world of RCE.
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

kaisellgren wrote:Not a long ago I fixed a software that allowed a user to upload files. I was able to upload a .htaccess file, thus, I could make JPG/PNG/GIF/wtvr to be parsed by PHP. Just another route to the world of RCE.
I tied uploading .htaccess but my tries has failed.
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

Mate wrote:
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?
I didn't mean the particular PHP code you've posted here - I meant all of your PHP code uploaded on the www server. If any of this code is vulnerable to an LFI exploit then thanks to your upload PHP code, it's also vulnerable to an RFI exploit
There are 10 types of people in this world, those who understand binary and those who don't
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

VladSun wrote:
Mate wrote:
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?
I didn't mean the particular PHP code you've posted here - I meant all of your PHP code uploaded on the www server. If any of this code is vulnerable to an LFI exploit then thanks to your upload PHP code, it's also vulnerable to an RFI exploit
even if how PHP code will be executed if it is in .jpg format?
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

I am not sure what you mean by ".jpeg format", but I'd say - Yes, even it is in .jpeg format.
You know what LFI means, don't you?
There are 10 types of people in this world, those who understand binary and those who don't
Post Reply