Page 1 of 1

How was my image upload script exploited

Posted: Sat Sep 08, 2007 10:02 pm
by dapaintballer331
Somehow users uploaded a file called "muhacir.php" to my image upload folder, and used it to delete EVERYTHING on my website.

How did they get a .jpeg/.gif extension file to upload&rename&execute?
I know mime types can be spoofed, so I thought file extensions would work.

If that isn't the case, how did they upload a .php file? I tried using null bytes on my own server and even that wouldn't work, the filename was still .php%00.jpeg

Any ideas?

Posted: Sat Sep 08, 2007 10:09 pm
by John Cartwright
We will have to see your code.

Posted: Sun Sep 09, 2007 5:21 am
by VladSun
As far as I understood you've tried this:
http://ha.ckers.org/blog/20070604/passi ... imagesize/

Yes, we will need your code :)

Re: How was my image upload script exploited

Posted: Sun Sep 09, 2007 7:06 am
by superdezign
dapaintballer331 wrote:I know mime types can be spoofed, so I thought file extensions would work.
You think MIME types are easier to spoof than file extensions?

Re: How was my image upload script exploited

Posted: Sun Sep 09, 2007 7:58 am
by feyd
superdezign wrote:
dapaintballer331 wrote:I know mime types can be spoofed, so I thought file extensions would work.
You think MIME types are easier to spoof than file extensions?
Both are easy to fake.

Posted: Sun Sep 09, 2007 1:27 pm
by dapaintballer331
feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Code: Select all

if(isset($Submit)){
  $file=$_FILES['imagefile']['name'];
  $filetype=substr($file,-4);
  if (!file_exists('upload/'.$_FILES['imagefile']['name'])) {
  if($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp"){
    copy($_FILES['imagefile']['tmp_name'],"upload/".$_FILES['imagefile']['name'])
    or die("Could not copy");
    echo"<br>Upload Complete";
    echo"<br>Name:&nbsp;".$_FILES['imagefile']['name']."";
    echo"<br>Size:&nbsp;".$_FILES['imagefile']['size']." bytes";
	echo"<br>URL: " . $filelocation . "upload/" . $_FILES['imagefile']['name'];
    echo"<br>Type:&nbsp;".$_FILES['imagefile']['type']."<br>";
  }else{
    echo"<br>Upload Error";
    echo"<br>Could Not Copy, Wrong Filetype (".$_FILES['imagefile']['name'].")<br>";
  }
  } else {
  echo 'A image with the same name already exists. Feel free to rename your file then reupload.';
  }
}
Honestly I didn't write the code, but I couldn't have done any better, if I give them direct access to the file like this script does.


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]

Posted: Sun Sep 09, 2007 1:53 pm
by jmut
dapaintballer331 wrote:

Code: Select all

if(isset($Submit)){
  $file=$_FILES['imagefile']['name'];
  $filetype=substr($file,-4);
  if (!file_exists('upload/'.$_FILES['imagefile']['name'])) {
  if($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp"){
    copy($_FILES['imagefile']['tmp_name'],"upload/".$_FILES['imagefile']['name'])
    or die("Could not copy");
    echo"<br>Upload Complete";
    echo"<br>Name:&nbsp;".$_FILES['imagefile']['name']."";
    echo"<br>Size:&nbsp;".$_FILES['imagefile']['size']." bytes";
	echo"<br>URL: " . $filelocation . "upload/" . $_FILES['imagefile']['name'];
    echo"<br>Type:&nbsp;".$_FILES['imagefile']['type']."<br>";
  }else{
    echo"<br>Upload Error";
    echo"<br>Could Not Copy, Wrong Filetype (".$_FILES['imagefile']['name'].")<br>";
  }
  } else {
  echo 'A image with the same name already exists. Feel free to rename your file then reupload.';
  }
}
Honestly I didn't write the code, but I couldn't have done any better, if I give them direct access to the file like this script does.

As a start you should not use copy() but rather
http://www.php.net/manual/en/function.m ... d-file.php

Posted: Tue Sep 11, 2007 4:47 am
by mrkite
you're using bitwise-or | instead of logical-or ||

This is how they broke your uploader.

Code: Select all

if ($filetype=="jpeg"|$filetype==".gif"|$filetype==".png"|$filetype==".jpg"|$filetype==".bmp")
bitwise-or has a higher precedence than equality. So basically the above is equivalent to:

Code: Select all

if ($filetype==("jpeg"|$filetype)==(".gif"|$filetype)==(".png"|$filetype)==(".jpg"|$filetype)==".bmp")
Change those back to || and try uploading a regular php file


Whenever i have people upload images, I never care what the original filename was.. I use imagemagick to convert their tmp_name into a jpeg before it moves into webspace.

edit: deleted extraneous examples which weren't true for php5.