Javascript required
Skip to content Skip to sidebar Skip to footer
Home / Get Uploaded File Name From Form in Php

Get Uploaded File Name From Form in Php

Six files that are also a valid PHP

Six files that are also a valid PHP and a Haskell GIF that is too a Python-Python-Python. The challenge was inspired past the PoC||GTFO Journal's idea of a polyglot file. The thought of having one file that has two formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible'south possible" list.

image

Caio Lüders HackerNoon profile picture

And a GIF that is also a Python

That history begins with me trying to make a GIF that is too a valid Haskell, all that for a CTF claiming. Although was a pain in the ass to kill this challenge, the idea of having one file that has two format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected blazon of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they beloved the idea of a polyglot file, 1 of their problems is a PDF/Zip and NES ROM , so I started with the simplest — and probably the only i that is useful — file format : PHP. Why is the simplest? Because you can land where the code starts with <? and where it ends with ?> , with that I can put the PHP code anywhere in the file.

I already knew something about GIF, and so let's offset with it. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a bully place to showtime :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            
              ASCII : GIF89a���ÿ�,��������;

Equally explained in the blog post, that makes a 1x1 black gif and it should break because it doesn't have the Global Color Table, just information technology works because the readers does not follow the specification at risk. Now I want to put my PHP string somewhere in there. Reading the GIF89a Specification I've found the Comment Extension which allow us to put a annotate in the GIF at the end of the file. Something like that :

                              vii half-dozen 5 4 3 2 ane 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   1  |      0xFE     |       Annotate Characterization                 Byte      +---------------+       +===============+      |    <?         |   N  |    phpinfo(); |       Comment Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Cake Terminator              Byte      +---------------+

And then at present nosotros tin can append our PHP code every bit a annotate in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 FE 3C 3F seventy 68 lxx 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. Besides GIF makes piece of cake for us having the EOF as a semicolon.

PHP + PDF

Post-obit the steps of PoC||GTFO allow's play with PDF. The plan withal the same, become the simplest PDF possible and effort to suspend a comment.

I had a trouble with the get-go part of the plan, I utilize OS X and his PDF reader is restrict equally fuck, most every simple PDF that I've found in the internet has some fault for the Os X'due south reader. The only one that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  9 0 obj << >> stream BT/ 9 Tf(Examination)' ET endstream endobj 4 0 obj << /Type /Page /Parent v 0 R /Contents 9 0 R >> endobj 5 0 obj << /Kids [4 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 9 ] >> endobj three 0 obj << /Pages five 0 R /Type /Itemize >> endobj trailer << /Root 3 0 R >> %%EOF

It has a lot of parts that isn't required for other readers, similar the Chrome'south reader, and it should be really smaller just it doesn't thing. PDF is much simpler, like any program language information technology has a code for comments which is % , so just put that afterwards any line and append the PHP code .

              %PDF-1.two %<?phpinfo()?> ...

Simplest arroyo

Surfing in the WEB I've found something really beautiful , a repository with a huge list with the "Smallest possible […] file", then I started to endeavor append PHP to some of that files.

As information technology turns out, most of the files has a EOF of some kind to country that the file has concluded, and most readers but ignores anything that is put subsequently that EOF. Hither is four examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 xl CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 xx 00 01 00 00 00 00 00 00 00 00 40 CD 80 00 40 CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀L���Fifty���������<?phpinfo();?>

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F 10 10 eleven 10 0A 0C 12 13 12 10 13 0F 10 10 ten FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 10 10 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          
                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>

Append PHP to JPEG is really former, but everyone only put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is also a valid Python. None of the above "techniques" works because you can't just say to Python Interpreter where to showtime to run the code like PHP. Let'south take some other look at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 fourscore 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;

Let's try a error based analysis, what is the error that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line ane     GIF89a           ^ SyntaxError: invalid syntax

It throws a syntax mistake at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader just require that the version is 89 or 87 ignoring the "a" part, so we can supercede the "a" with a "=" and state that "GIF89" is a variable, that should exist a nice start. Allow's run once again.

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89=           ^ SyntaxError: invalid syntax

Once more , as expected. The first idea that I have was to only comment the gibberish office of the GIF and put a comment, merely like at the PHP+GIF, that is a valid python and it was going to exist fine. Only in the centre of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something similar this :

              GIF89=\ #[e-mail protected][electronic mail protected]$!(@#@!_#)[electronic mail protected][email protected]!þ\ __import__('os').system('ls');

That is, a multi-line variable declaration using the '\' and in the middle of it only commenting the Not-ASCII, after that appending the '!þ' to outset a GIF comment, jumping to some other line and putting the actual code, post-obit by the EOF'southward semicolon, which is also valid in Python.

But trying to make a comment in a multi-line variable declaration was just impossible, merely making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Atomic number 26 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������L�!þ __import__('os').organisation('ls'));

Note that the interpreter volition merely ignore the line that starts with a Not-ASCII character, which is odd, so we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

ballhictle1988.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8