Loader to Show File Upload During Database Transaction Php

6 files that are also a valid PHP

Half dozen files that are also a valid PHP and a Haskell GIF that is also a Python-Python-Python. The challenge was inspired by the PoC||GTFO Journal's idea of a polyglot file. The idea of having 1 file that has two formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible'south possible" list.

And a GIF that is also a Python

That history begins with me trying to make a GIF that is also a valid Haskell, all that for a CTF challenge. Although was a pain in the ass to kill this challenge, the thought of having 1 file that has two format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected blazon of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they love the idea of a polyglot file, one of their issues is a PDF/Cipher and NES ROM , so I started with the simplest — and probably the only 1 that is useful — file format : PHP. Why is the simplest? Because you can state where the code starts with <? and where it ends with ?> , with that I tin can put the PHP lawmaking anywhere in the file.

I already knew something about GIF, so let'due south start with it. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a neat place to starting time :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

As explained in the blog post, that makes a 1x1 black gif and it should interruption considering it doesn't take the Global Colour Table, but it works because the readers does not follow the specification at chance. Now I want to put my PHP cord somewhere in there. Reading the GIF89a Specification I've constitute the Annotate Extension which allow us to put a comment in the GIF at the end of the file. Something like that :

                              seven 6 5 iv iii 2 1 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   1  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   North  |    phpinfo(); |       Comment Information            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

So at present nosotros can append our PHP code as a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Atomic number 26 3C 3F 70 68 70 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. As well GIF makes easy for usa having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO permit'south play with PDF. The plan still the same, get the simplest PDF possible and try to append a comment.

I had a trouble with the outset part of the plan, I employ OS X and his PDF reader is restrict as fuck, almost every unproblematic PDF that I've found in the net has some error for the OS X's reader. The just 1 that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  9 0 obj << >> stream BT/ 9 Tf(Examination)' ET endstream endobj 4 0 obj << /Type /Folio /Parent 5 0 R /Contents 9 0 R >> endobj five 0 obj << /Kids [iv 0 R ] /Count 1 /Blazon /Pages /MediaBox [ 0 0 99 ix ] >> endobj iii 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, similar the Chrome'southward reader, and it should be really smaller but information technology doesn't matter. PDF is much simpler, like whatsoever programme linguistic communication it has a code for comments which is % , so just put that afterwards whatever line and append the PHP code .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the Web I've found something really beautiful , a repository with a huge list with the "Smallest possible […] file", so I started to endeavor suspend PHP to some of that files.

As it turns out, virtually of the files has a EOF of some kind to land that the file has ended, and near readers just ignores anything that is put after that EOF. Here is 4 examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 40 CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 40 CD 80 00 forty CD lxxx 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀50���Fifty���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.two�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F 10 10 xi 10 0A 0C 12 xiii 12 10 13 0F 10 10 ten FF C9 00 0B 08 00 01 00 01 01 01 eleven 00 FF CC 00 06 00 10 x 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really old, but everyone only put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 xviii 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is as well a valid Python. None of the higher up "techniques" works considering yous can't simply say to Python Interpreter where to start to run the code similar PHP. Let's take some other look at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Let'due south try a error based analysis, what is the fault that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line one     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax mistake at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader just crave that the version is 89 or 87 ignoring the "a" part, so we tin supercede the "a" with a "=" and state that "GIF89" is a variable, that should be a nice start. Allow's run again.

              $ python tinytrans.gif   File "tinytrans.gif", line ane     GIF89=           ^ SyntaxError: invalid syntax            

Once again , every bit expected. The kickoff idea that I have was to just comment the gibberish function of the GIF and put a annotate, just like at the PHP+GIF, that is a valid python and it was going to be fine. But in the heart of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[email protected][email protected]$!(@#@!_#)[electronic mail protected][email protected]!þ\ __import__('bone').system('ls');            

That is, a multi-line variable announcement using the '\' and in the middle of it just commenting the Non-ASCII, after that appending the '!þ' to start a GIF comment, jumping to another line and putting the bodily code, following by the EOF's semicolon, which is also valid in Python.

But trying to make a comment in a multi-line variable declaration was but impossible, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New endeavor :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 fourscore 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Fe 0A 5F 5F 69 6D seventy 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������Fifty�!þ __import__('os').system('ls'));            

Note that the interpreter will just ignore the line that starts with a Non-ASCII character, which is odd, so we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

molinaheratat1982.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post