The Php Temporary Folder Is the Folder That Php Uses to Store an Uploaded File Before Joomla

Half dozen files that are also a valid PHP

image

Caio Lüders HackerNoon profile picture

And a GIF that is also a Python

That history begins with me trying to make a GIF that is also a valid Haskell, all that for a CTF challenge. Although was a pain in the donkey to kill this claiming, the idea of having one file that has ii format was really interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they love the idea of a polyglot file, one of their issues is a PDF/Zip and NES ROM , so I started with the simplest — and probably the just one that is useful — file format : PHP. Why is the simplest? Considering you can state where the code starts with <? and where information technology ends with ?> , with that I can put the PHP code anywhere in the file.

I already knew something about GIF, and so let'south showtime with it. Having in mind that the content of the GIF is worthless to u.s. the tiniest GIF possible is a nifty identify to start :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            
              ASCII : GIF89a���ÿ�,��������;            

As explained in the weblog post, that makes a 1x1 blackness gif and it should suspension because it doesn't take the Global Colour Table, but it works because the readers does not follow the specification at take chances. At present I want to put my PHP string somewhere in there. Reading the GIF89a Specification I've plant the Comment Extension which let u.s.a. to put a comment in the GIF at the cease of the file. Something like that :

                              7 6 5 4 3 2 one 0        Field Proper noun                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   ane  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   Due north  |    phpinfo(); |       Comment Data            Information Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

And so at present we tin append our PHP code as a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 FE 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. Besides GIF makes piece of cake for us having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO let'due south play with PDF. The plan even so the same, get the simplest PDF possible and try to append a comment.

I had a problem with the first function of the plan, I utilise OS X and his PDF reader is restrict as fuck, well-nigh every simple PDF that I've plant in the internet has some error for the OS Ten's reader. The only i that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-1.2  nine 0 obj << >> stream BT/ nine Tf(Test)' ET endstream endobj 4 0 obj << /Type /Folio /Parent five 0 R /Contents 9 0 R >> endobj 5 0 obj << /Kids [4 0 R ] /Count i /Blazon /Pages /MediaBox [ 0 0 99 9 ] >> endobj 3 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, similar the Chrome'southward reader, and it should exist really smaller only it doesn't matter. PDF is much simpler, like any program language it has a lawmaking for comments which is % , so just put that afterward any line and suspend the PHP code .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the Web I've establish something actually beautiful , a repository with a huge listing with the "Smallest possible […] file", so I started to try suspend PHP to some of that files.

Equally information technology turns out, most of the files has a EOF of some kind to country that the file has ended, and almost readers just ignores anything that is put after that EOF. Here is four examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 forty CD lxxx 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 twenty 00 01 00 00 00 00 00 00 00 00 40 CD 80 00 40 CD lxxx 4C 00 00 00 4C 00 00 00 05 00 00 00 00 ten 00 00 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀Fifty���50���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 xviii C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F ten 10 11 10 0A 0C 12 13 12 x 13 0F 10 x x FF C9 00 0B 08 00 01 00 01 01 01 11 00 FF CC 00 06 00 10 ten 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          
                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really one-time, just everyone simply put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is as well a valid Python. None of the above "techniques" works because you tin't simply say to Python Interpreter where to start to run the code like PHP. Let'due south take some other look at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Allow'due south try a error based analysis, what is the mistake that this file gives when run equally a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line i     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax error at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader simply require that the version is 89 or 87 ignoring the "a" role, then we can supplant the "a" with a "=" and state that "GIF89" is a variable, that should be a nice first. Let's run once more.

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89=           ^ SyntaxError: invalid syntax            

Over again , equally expected. The first idea that I have was to just comment the gibberish part of the GIF and put a comment, only similar at the PHP+GIF, that is a valid python and it was going to be fine. Just in the heart of the gibberish it has a 0x0a byte, which is as well a new line, that bugs all my attempts. I was trying to make something like this :

              GIF89=\ #[e-mail protected][e-mail protected]$!(@#@!_#)[email protected][email protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable declaration using the '\' and in the middle of it just commenting the Non-ASCII, after that appending the '!þ' to offset a GIF comment, jumping to another line and putting the actual code, following by the EOF's semicolon, which is also valid in Python.

But trying to brand a comment in a multi-line variable declaration was but incommunicable, but making that within a parentheses was valid : https://stackoverflow.com/a/22914853 . New endeavor :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 FE 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������L�!þ __import__('bone').system('ls'));            

Note that the interpreter will just ignore the line that starts with a Non-ASCII character, which is odd, so we don't demand the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

thibeaultwasm1955.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

0 Response to "The Php Temporary Folder Is the Folder That Php Uses to Store an Uploaded File Before Joomla"

Post a Comment

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel