Page 1 of 2

Exploit with upload image function...

Posted: Fri Feb 12, 2010 10:41 am
by Mate

Code: Select all

$max_image_size_b = $config['site']['guild_image_size_kb'] * 1024;
$allowed_ext = array('image/gif', 'image/jpg', 'image/pjpeg', 'image/jpeg', 'image/bmp', 'image/png', 'image/x-png');
$ext_name = array('image/gif' => 'gif', 'image/jpg' => 'jpg', 'image/jpeg' => 'jpg', 'image/pjpeg' => 'jpg', 'image/bmp' => 'bmp', 'image/png' => 'png', 'image/x-png' => 'png');
$save_file_name = str_replace(' ', '_', strtolower($guild->getName()));
$save_path = 'guilds/'.$save_file_name;
if($_REQUEST['todo'] == 'save') {
$file = $_FILES['newlogo'];
if(is_uploaded_file($file['tmp_name'])) {
if($file['size'] > $max_image_size_b) {
$upload_errors[] = 'Uploaded image is too big. Size: <b>'.$file['size'].' bytes</b>, Max. size: <b>'.$max_image_size_b.' bytes</b>.';
}
$type = strtolower($file['type']);
if(!in_array($type, $allowed_ext)) {
$upload_errors[] = 'Your file type isn\' allowed. Allowed: <b>gif, jpg, bmp, png</b>. Your file type: <b>'.$type.'</b> If it\'s image contact with admin.';
}
}
else
{
$upload_errors[] = 'You didn\'t send file or file is too big. Limit: <b>'.$config['site']['guild_image_size_kb'].' KB</b>.';
}
if(empty($upload_errors)) {
$extension = $ext_name[$type];
if(!move_uploaded_file($file['tmp_name'], $save_path.'.'.$extension)) {
$upload_errors[] = 'Sorry! Can\'t save your image.';
}
}
if(empty($upload_errors)) {
$guild_logo = $guild->getCustomField('logo_gfx_name');
if(empty($guild_logo) || !file_exists("guilds/".$guild_logo)) {
$guild_logo = "default_logo.gif";
}
if($guild_logo != "default_logo.gif" && $guild_logo != $save_file_name.'.'.$extension) {
unlink('guilds/'.$guild_logo);
}
}
Does any1 have got idea how the hacker could upload exploit .. ?
I tried with temper data and changing application stream for image/jpg but after it has been uploaded it's name has been changed to something.jpg instead of something.php so i couldn't execute it (the php code was in something.jpg file )
(when i opened it was just a link to that file )

Any help will be appreciated...

Re: Exploit with upload image function...

Posted: Fri Feb 12, 2010 11:57 am
by josh
You can put PHP code in a file named something.jpg and then include it anyways. It can even still be a valid jpg and look like a regular picture. PHP would see the binary jpeg bits in the same way it treats regular text or markup

(valid jpeg data here)
<?php
echo 'some ascii data that happens to execute as php';


Its called a polyglot! http://en.wikipedia.org/wiki/Polyglot_%28computing%29

But that is not how you probably got hacked (most likely). Most likely it was something else you overlooked. My example just goes to show your assumptions were wrong.

Re: Exploit with upload image function...

Posted: Fri Feb 12, 2010 12:36 pm
by kaisellgren
You don't show us the code for

Code: Select all

$guild->getName()
and the line 23 is vulnerable to file-name truncation and traversal attacks.

If

Code: Select all

$guild->getCustomField('logo_gfx_name');
comes from the client, you are vulnerable to arbitrary file deletion.

Re: Exploit with upload image function...

Posted: Fri Feb 12, 2010 12:48 pm
by Mate

Code: Select all

   public function getName()
    {
        if( !isset($this->data['name']) )
        {
            throw new E_OTS_NotLoaded();
        }
 
        return $this->data['name'];
    }
i'm 100 % sure that this function is not vulnerable.
how can i reproduce how did he upload an exploit?
Site is not vulnerable to traversal attacks...

Re: Exploit with upload image function...

Posted: Fri Feb 12, 2010 5:09 pm
by Darhazer
The upload can be only a part from the exploit. If user uploads a PHP file, renamed to .jpg, and than exploits a remote file inclusion, the PHP code is executed.
So, never trust the $_FILES['...']['type'] :)

Re: Exploit with upload image function...

Posted: Sat Feb 13, 2010 2:44 am
by Mate
How an potential attacker can exploits remote file inclusion ?
I tried many ways and couldn't find how ...

Re: Exploit with upload image function...

Posted: Thu Feb 18, 2010 6:55 pm
by Mate
Ok i might know the trick but i'm not sure if it is possible ...
So The hacker uploads an image file in .jpg format with the image + exploit(exploits is somewhere near meta of image or sth like that...).
Is it possible ?

Re: Exploit with upload image function...

Posted: Sat Feb 20, 2010 3:30 am
by kaisellgren
Mate wrote:Ok i might know the trick but i'm not sure if it is possible ...
So The hacker uploads an image file in .jpg format with the image + exploit(exploits is somewhere near meta of image or sth like that...).
Is it possible ?
You can certainly place PHP, JS or any other code within image meta data or just append it to the image data. If this image is ever going to be parsed, you are in trouble.

Re: Exploit with upload image function...

Posted: Mon Feb 22, 2010 10:37 pm
by Mate
After testing:
Up i don't think so that it will be parsed because the script is changing type of file to something.jpg/gif nevermind what file i am sending (but it must be saved as .PHP to execute the code)
and no when jpges are executed as .jpg php code cannot be executed on my server.
Just tested it fully...

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 4:00 am
by VladSun
If your PHP code is vulnerable to LFI, then you are in trouble ;)

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 5:08 am
by kaisellgren
Not a long ago I fixed a software that allowed a user to upload files. I was able to upload a .htaccess file, thus, I could make JPG/PNG/GIF/wtvr to be parsed by PHP. Just another route to the world of RCE.

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 7:32 am
by Mate
kaisellgren wrote:Not a long ago I fixed a software that allowed a user to upload files. I was able to upload a .htaccess file, thus, I could make JPG/PNG/GIF/wtvr to be parsed by PHP. Just another route to the world of RCE.
I tied uploading .htaccess but my tries has failed.
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 7:40 am
by VladSun
Mate wrote:
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?
I didn't mean the particular PHP code you've posted here - I meant all of your PHP code uploaded on the www server. If any of this code is vulnerable to an LFI exploit then thanks to your upload PHP code, it's also vulnerable to an RFI exploit

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 8:11 am
by Mate
VladSun wrote:
Mate wrote:
VladSun wrote:If your PHP code is vulnerable to LFI, then you are in trouble ;)
And ... this code is?
I didn't mean the particular PHP code you've posted here - I meant all of your PHP code uploaded on the www server. If any of this code is vulnerable to an LFI exploit then thanks to your upload PHP code, it's also vulnerable to an RFI exploit
even if how PHP code will be executed if it is in .jpg format?

Re: Exploit with upload image function...

Posted: Tue Feb 23, 2010 8:13 am
by VladSun
I am not sure what you mean by ".jpeg format", but I'd say - Yes, even it is in .jpeg format.
You know what LFI means, don't you?