Php File Large File Upload No Timeout

Vi files that are too a valid PHP

Six files that are also a valid PHP and a Haskell GIF that is besides a Python-Python-Python. The claiming was inspired past the PoC||GTFO Journal'due south idea of a polyglot file. The idea of having one file that has ii formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected blazon of your file with some LFI. I've plant a repository with a huge list with the "Smallest possible's possible" list.

And a GIF that is also a Python

That history begins with me trying to make a GIF that is also a valid Haskell, all that for a CTF challenge. Although was a pain in the ass to kill this challenge, the idea of having ane file that has two format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they beloved the idea of a polyglot file, i of their issues is a PDF/Goose egg and NES ROM , so I started with the simplest — and probably the only 1 that is useful — file format : PHP. Why is the simplest? Because you can state where the code starts with <? and where it ends with ?> , with that I can put the PHP lawmaking anywhere in the file.

I already knew something about GIF, so let's start with it. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a great place to outset :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

Every bit explained in the blog post, that makes a 1x1 black gif and it should break because it doesn't have the Global Color Tabular array, merely it works because the readers does not follow the specification at run a risk. Now I want to put my PHP cord somewhere in there. Reading the GIF89a Specification I've found the Comment Extension which allow us to put a comment in the GIF at the end of the file. Something similar that :

                              vii 6 5 4 3 2 ane 0        Field Proper noun                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   one  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   N  |    phpinfo(); |       Annotate Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

And then now nosotros can append our PHP code as a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 FE 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Annotation that !þ = 0x21 0xFE , and PHP doesn't crave the ?> at the finish. Also GIF makes like shooting fish in a barrel for united states of america having the EOF every bit a semicolon.

PHP + PDF

Post-obit the steps of PoC||GTFO let's play with PDF. The plan still the same, get the simplest PDF possible and try to append a annotate.

I had a problem with the showtime part of the plan, I use OS X and his PDF reader is restrict as fuck, near every elementary PDF that I've found in the internet has some error for the Bone Ten's reader. The simply one that is all in ASCII and worked for me was this ane: https://stackoverflow.com/a/32142316

              %PDF-1.2  ix 0 obj << >> stream BT/ nine Tf(Test)' ET endstream endobj 4 0 obj << /Blazon /Page /Parent 5 0 R /Contents ix 0 R >> endobj 5 0 obj << /Kids [4 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 9 ] >> endobj 3 0 obj << /Pages 5 0 R /Blazon /Itemize >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, like the Chrome's reader, and it should be actually smaller but it doesn't matter. PDF is much simpler, like whatsoever program linguistic communication it has a code for comments which is % , so just put that after whatever line and append the PHP lawmaking .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the Spider web I've found something really cute , a repository with a huge list with the "Smallest possible […] file", and then I started to attempt append PHP to some of that files.

Equally information technology turns out, most of the files has a EOF of some kind to state that the file has ended, and most readers but ignores annihilation that is put later that EOF. Here is iv examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 40 CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 twenty 00 01 00 00 00 00 00 00 00 00 forty CD fourscore 00 40 CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀Fifty���L���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 xviii C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.ii�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D eleven 0D 0E 0F ten 10 11 x 0A 0C 12 13 12 10 xiii 0F 10 10 10 FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 ten 10 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really old, only anybody only put in the EXIF, and I consider it adulterous.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 eighteen 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is besides a valid Python. None of the above "techniques" works considering you can't just say to Python Interpreter where to offset to run the code like PHP. Allow'southward take some other look at some other GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������50�;            

Let's try a error based analysis, what is the error that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax error at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", information technology turns out that every reader just require that the version is 89 or 87 ignoring the "a" office, so we can replace the "a" with a "=" and state that "GIF89" is a variable, that should be a dainty start. Let's run again.

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89=           ^ SyntaxError: invalid syntax            

Once again , as expected. The offset idea that I accept was to simply comment the gibberish role of the GIF and put a annotate, just like at the PHP+GIF, that is a valid python and information technology was going to exist fine. But in the middle of the gibberish it has a 0x0a byte, which is besides a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[email protected][email protected]$!(@#@!_#)[electronic mail protected][email protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable declaration using the '\' and in the center of it just commenting the Non-ASCII, subsequently that appending the '!þ' to get-go a GIF annotate, jumping to another line and putting the actual lawmaking, following past the EOF's semicolon, which is as well valid in Python.

Only trying to make a annotate in a multi-line variable declaration was just impossible, but making that within a parentheses was valid : https://stackoverflow.com/a/22914853 . New attempt :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 lxxx 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 FE 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������Fifty�!þ __import__('os').system('ls'));            

Note that the interpreter will just ignore the line that starts with a Non-ASCII character, which is odd, so nosotros don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

christianoexped1936.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post