Tuesday, June 26, 2007

PHP Image uploaders

Image uploads are pretty common these days, you get them in most forums, weblogs, community sites etc. There are basicly 2 methods of determining if the uploaded file is an actual image.

1: Check the file extension. This should be gif, jpg or png.
2: Check the file layout, using the PHP getimagesize() function, which is way cooler, cuz it is.

If by chance the developer wasnt paying attention and doesn't check the extension properly, but does use the getimagesize function to determine the image type. You can upload a 'special' file that passes all PHP image checks and still executes the embedded PHP.

Just take a basic jpeg image (yes, your avatar will do) open it in your favorate hex editor, open your php file next to it, and copy-paste the php hex data below the image hex data.

Next, rename the file.jpg to file.php, and try to upload it.

The thing with jpeg is, its not bothered by excess data. The jpeg header takes care of that. A php file just shows its contents, until it finds those cute php tags. So when opening this 'image' in a browser, it will be executed like a normal php file.

I used this image spoof about 20 times now, and it worked about 5 times. So its a long shot, but surely, worth a try.

PS:
if it doesnt work, try to upload a .htaccess file containing: AddType application/x-httpd-php .jpg
and uploading your .php file as a .jpg file. Because of the weird filename layout (.htaccess == no filename and a suspiciously long file extension) some upload checks let it pass through. (older versions of FCKeditor for example)

No comments: