Exploit with upload image function...

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

local file inclusion
yes for example:
http://www.biopulsa.com/_index.php?bio= ... etc/passwd

By lfi u can only read files from hard-disk of affected computer.
it's not rfi
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

Mate wrote:local file inclusion
yes for example:
http://www.biopulsa.com/_index.php?bio= ... etc/passwd

By lfi u can only read files from hard-disk of affected computer.
it's not rfi
Well, the "affected" computer is the server itself!
If I am able to upload files to the "affected" computer and LFI them then it's an RFI/RCE ...
There are 10 types of people in this world, those who understand binary and those who don't
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

Yeah but whenever u have only LFI without RFI u cannot do anything except to see files which are on affected computer.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

Mate wrote:Yeah but whenever u have only LFI without RFI u cannot do anything except to see files which are on affected computer.
"Seeing" (i.e. include()/require() ) the files is indeed an execution. If these files contain <?php / <? blocks they will be executed. You've been told this already.
There are 10 types of people in this world, those who understand binary and those who don't
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

Even if the file is .jpg the PHP code in it will be executed(by LFI)?
Last edited by Mate on Tue Feb 23, 2010 9:39 am, edited 1 time in total.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Exploit with upload image function...

Post by timWebUK »

If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

timWebUK wrote:If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
Yes but it's about other leak here:
By this leak u are uploading PHP code in JPG format.
now i have to find other leak which contains LFI and include the image.
User avatar
VladSun
DevNet Master
Posts: 4313
Joined: Wed Jun 27, 2007 9:44 am
Location: Sofia, Bulgaria

Re: Exploit with upload image function...

Post by VladSun »

Mate wrote:Even if the file is .jpg the PHP code in it will be executed(by LFI)?
YES, try it!
There are 10 types of people in this world, those who understand binary and those who don't
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Exploit with upload image function...

Post by josh »

timWebUK wrote:If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
In the same way PHP will parse a file that also contains HTML data. It simply "passses thru" stuff outside of PHP tags.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: Exploit with upload image function...

Post by timWebUK »

I've added PHP to the end of an image file, it's not getting run...
Mate
Forum Newbie
Posts: 12
Joined: Fri Feb 12, 2010 10:35 am

Re: Exploit with upload image function...

Post by Mate »

timWebUK wrote:I've added PHP to the end of an image file, it's not getting run...
It's not about that .
The purpuse of adding PHP code in meta file is to trick the function getitmagesize which doesn't exist in this script so it isn't required here .
Here u can upload plain PHP code in .jpg format ,and then somehow include it by LFI ... i just have to found how ...
Last edited by Mate on Wed Feb 24, 2010 8:02 am, edited 1 time in total.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Exploit with upload image function...

Post by kaisellgren »

I'm not sure what's the problem here.

An image file, a PDF file, an Office document, and many other formats have all sorts of meta data code chunks where you can place PHP, JavaScript or pretty much whatever you want. If these files are executed, the parser may run the code. In IE, JavaScript within an image will be run (unless you specify X-Content-Type-Options: nosniff). In case of PHP, code within an image will be run. It's not just about images, it's simple to put PHP code within a .docx file (Office Word) and almost anywhere.

You should not try to filter files. You should not try to do checks like getimagesize() for security purposes. What you need to do is to handle the files properly. Here are a few good rules of thumb:

- Rename uploaded files to something random. Don't give them any extension (e.g. "sdf32rf0ghjewsfq03hre40yhptg0jwsef0wef").
- Place the uploaded files outside of your document root.
- Never include/execute the files you uploaded. This means no include or require in PHP. No HTML script tags or stylesheet tags including them. No Apache Include commands including them. And so forth.
- When you need to serve the files to the client, do so by reading the contents of the files and outputting them to the client along with proper headers. For IE, you need that X-Content-Type-Options: nosniff, and then you need to serve the right Content-Type, too.
- If at all possible, serve the files from other origin. Using a different port, a domain name or an IP address is fine. Sub-domains are dangerous and with IPs things get slightly harder.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Exploit with upload image function...

Post by josh »

timWebUK wrote:I've added PHP to the end of an image file, it's not getting run...
Create a file called hack.php and inside it put include('myimage.jpg')

Or execute it on the CLI `php myimage.jpg`, or something along these lines.
Post Reply