Page 2 of 2
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 8:46 am
by Mate
local file inclusion
yes for example:
http://www.biopulsa.com/_index.php?bio= ... etc/passwd
By lfi u can only read files from hard-disk of affected computer.
it's not rfi
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 8:54 am
by VladSun
Well, the "affected" computer is the server itself!
If I am able to upload files to the "affected" computer and LFI them then it's an RFI/RCE ...
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:20 am
by Mate
Yeah but whenever u have only LFI without RFI u cannot do anything except to see files which are on affected computer.
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:25 am
by VladSun
Mate wrote:Yeah but whenever u have only LFI without RFI u cannot do anything except to see files which are on affected computer.
"Seeing" (i.e. include()/require() ) the files is indeed an execution. If these files contain <?php / <? blocks they will be executed. You've been told this already.
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:34 am
by Mate
Even if the file is .jpg the PHP code in it will be executed(by LFI)?
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:35 am
by timWebUK
If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:40 am
by Mate
timWebUK wrote:If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
Yes but it's about other leak here:
By this leak u are uploading PHP code in JPG format.
now i have to find other leak which contains LFI and include the image.
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 9:40 am
by VladSun
Mate wrote:Even if the file is .jpg the PHP code in it will be executed(by LFI)?
YES, try it!
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 5:28 pm
by josh
timWebUK wrote:If you limit to only images being able to be uploaded, how is it possible to get the server to parse PHP within the image data? You wouldn't be able to upload a .htaccess file.
In the same way PHP will parse a file that also contains HTML data. It simply "passses thru" stuff outside of PHP tags.
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 6:28 pm
by timWebUK
I've added PHP to the end of an image file, it's not getting run...
Re: Exploit with upload image function...
Posted: Tue Feb 23, 2010 6:32 pm
by Mate
timWebUK wrote:I've added PHP to the end of an image file, it's not getting run...
It's not about that .
The purpuse of adding PHP code in meta file is to trick the function getitmagesize which doesn't exist in this script so it isn't required here .
Here u can upload plain PHP code in .jpg format ,and then somehow include it by LFI ... i just have to found how ...
Re: Exploit with upload image function...
Posted: Wed Feb 24, 2010 1:51 am
by kaisellgren
I'm not sure what's the problem here.
An image file, a PDF file, an Office document, and many other formats have all sorts of meta data code chunks where you can place PHP, JavaScript or pretty much whatever you want. If these files are executed, the parser may run the code. In IE, JavaScript within an image will be run (unless you specify X-Content-Type-Options: nosniff). In case of PHP, code within an image will be run. It's not just about images, it's simple to put PHP code within a .docx file (Office Word) and almost anywhere.
You should not try to filter files. You should not try to do checks like getimagesize() for security purposes. What you need to do is to handle the files properly. Here are a few good rules of thumb:
- Rename uploaded files to something random. Don't give them any extension (e.g. "sdf32rf0ghjewsfq03hre40yhptg0jwsef0wef").
- Place the uploaded files outside of your document root.
- Never include/execute the files you uploaded. This means no include or require in PHP. No HTML script tags or stylesheet tags including them. No Apache Include commands including them. And so forth.
- When you need to serve the files to the client, do so by reading the contents of the files and outputting them to the client along with proper headers. For IE, you need that X-Content-Type-Options: nosniff, and then you need to serve the right Content-Type, too.
- If at all possible, serve the files from other origin. Using a different port, a domain name or an IP address is fine. Sub-domains are dangerous and with IPs things get slightly harder.
Re: Exploit with upload image function...
Posted: Wed Feb 24, 2010 8:27 pm
by josh
timWebUK wrote:I've added PHP to the end of an image file, it's not getting run...
Create a file called hack.php and inside it put include('myimage.jpg')
Or execute it on the CLI `php myimage.jpg`, or something along these lines.