How to Upload Heavy File in Php

Half dozen files that are too a valid PHP

Half-dozen files that are also a valid PHP and a Haskell GIF that is also a Python-Python-Python. The challenge was inspired past the PoC||GTFO Periodical'south idea of a polyglot file. The idea of having one file that has two formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI. I've found a repository with a huge list with the "Smallest possible'south possible" list.

And a GIF that is as well a Python

That history begins with me trying to brand a GIF that is too a valid Haskell, all that for a CTF challenge. Although was a hurting in the ass to kill this challenge, the idea of having one file that has 2 format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Periodical and they love the idea of a polyglot file, one of their issues is a PDF/Nil and NES ROM , so I started with the simplest — and probably the only i that is useful — file format : PHP. Why is the simplest? Because you can state where the lawmaking starts with <? and where it ends with ?> , with that I can put the PHP lawmaking anywhere in the file.

I already knew something about GIF, so let's start with it. Having in listen that the content of the GIF is worthless to us the tiniest GIF possible is a bang-up identify to start :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

As explained in the weblog post, that makes a 1x1 black gif and it should interruption because information technology doesn't have the Global Color Tabular array, but it works because the readers does non follow the specification at run a risk. At present I want to put my PHP string somewhere in there. Reading the GIF89a Specification I've found the Comment Extension which allow us to put a comment in the GIF at the end of the file. Something like that :

                              7 6 5 iv 3 2 1 0        Field Proper noun                    Blazon      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   1  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   North  |    phpinfo(); |       Annotate Information            Information Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

So at present nosotros can append our PHP code as a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Atomic number 26 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Annotation that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. Also GIF makes easy for united states of america having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO let'south play with PDF. The plan still the aforementioned, go the simplest PDF possible and try to append a annotate.

I had a problem with the first role of the programme, I use Os X and his PDF reader is restrict equally fuck, almost every unproblematic PDF that I've found in the internet has some mistake for the OS X's reader. The only one that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  nine 0 obj << >> stream BT/ ix Tf(Test)' ET endstream endobj 4 0 obj << /Type /Folio /Parent 5 0 R /Contents 9 0 R >> endobj v 0 obj << /Kids [four 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 ix ] >> endobj three 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root iii 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, like the Chrome'south reader, and it should exist actually smaller only information technology doesn't matter. PDF is much simpler, similar whatsoever programme language it has a code for comments which is % , then just put that after any line and append the PHP code .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the WEB I've plant something really cute , a repository with a huge listing with the "Smallest possible […] file", and then I started to endeavour suspend PHP to some of that files.

As it turns out, near of the files has a EOF of some kind to state that the file has ended, and almost readers just ignores annihilation that is put after that EOF. Here is iv examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 40 CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 xx 00 01 00 00 00 00 00 00 00 00 40 CD fourscore 00 40 CD lxxx 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F 70 68 lxx 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀L���L���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F x 10 11 ten 0A 0C 12 13 12 10 13 0F 10 10 10 FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 ten ten 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really onetime, merely everyone just put in the EXIF, and I consider information technology cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 eighteen 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

Later that finding I started playing with something more hardcore. A GIF that is also a valid Python. None of the above "techniques" works because you lot can't just say to Python Interpreter where to start to run the code like PHP. Allow'south take another wait at some other GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Let'due south try a error based analysis, what is the mistake that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line ane     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax mistake at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader but require that the version is 89 or 87 ignoring the "a" function, and so we can supplant the "a" with a "=" and state that "GIF89" is a variable, that should be a nice start. Permit'due south run again.

              $ python tinytrans.gif   File "tinytrans.gif", line i     GIF89=           ^ SyntaxError: invalid syntax            

Over again , as expected. The first idea that I take was to just comment the gibberish part of the GIF and put a comment, just similar at the PHP+GIF, that is a valid python and it was going to be fine. Merely in the middle of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[electronic mail protected][email protected]$!(@#@!_#)[email protected][email protected]!þ\ __import__('bone').system('ls');            

That is, a multi-line variable declaration using the '\' and in the centre of it just commenting the Non-ASCII, later on that appending the '!þ' to start a GIF annotate, jumping to another line and putting the bodily code, following by the EOF's semicolon, which is as well valid in Python.

But trying to make a annotate in a multi-line variable proclamation was just impossible, merely making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New endeavor :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Atomic number 26 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������L�!þ __import__('bone').system('ls'));            

Note that the interpreter will but ignore the line that starts with a Not-ASCII character, which is odd, then we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

avilawasuld.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post