How to Upload File to Wordpress Through a File Link in Php

Six files that are also a valid PHP

6 files that are also a valid PHP and a Haskell GIF that is also a Python-Python-Python. The challenge was inspired by the PoC||GTFO Journal'south idea of a polyglot file. The idea of having one file that has 2 formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible's possible" list.

And a GIF that is too a Python

That history begins with me trying to brand a GIF that is also a valid Haskell, all that for a CTF challenge. Although was a pain in the ass to kill this challenge, the thought of having one file that has two format was really interesting and somewhat useful to featherbed upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Periodical and they love the idea of a polyglot file, one of their issues is a PDF/Zip and NES ROM , so I started with the simplest — and probably the only one that is useful — file format : PHP. Why is the simplest? Because you lot can state where the lawmaking starts with <? and where it ends with ?> , with that I can put the PHP lawmaking anywhere in the file.

I already knew something almost GIF, so let's start with it. Having in listen that the content of the GIF is worthless to usa the tiniest GIF possible is a great identify to start :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

Equally explained in the weblog post, that makes a 1x1 black gif and information technology should pause considering it doesn't accept the Global Colour Table, but it works because the readers does not follow the specification at adventure. Now I want to put my PHP string somewhere in at that place. Reading the GIF89a Specification I've found the Comment Extension which allow u.s. to put a annotate in the GIF at the end of the file. Something like that :

                              7 6 5 4 3 2 i 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   1  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   N  |    phpinfo(); |       Comment Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

And so now we can append our PHP code every bit a annotate in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Iron 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the end. Also GIF makes easy for us having the EOF as a semicolon.

PHP + PDF

Following the steps of PoC||GTFO permit'southward play with PDF. The plan still the aforementioned, get the simplest PDF possible and try to append a annotate.

I had a problem with the kickoff part of the program, I use OS X and his PDF reader is restrict equally fuck, almost every elementary PDF that I've found in the internet has some fault for the OS 10'south reader. The only i that is all in ASCII and worked for me was this ane: https://stackoverflow.com/a/32142316

              %PDF-1.2  9 0 obj << >> stream BT/ 9 Tf(Test)' ET endstream endobj 4 0 obj << /Type /Page /Parent five 0 R /Contents ix 0 R >> endobj 5 0 obj << /Kids [four 0 R ] /Count 1 /Blazon /Pages /MediaBox [ 0 0 99 nine ] >> endobj three 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

Information technology has a lot of parts that isn't required for other readers, like the Chrome'due south reader, and it should exist really smaller simply it doesn't matter. PDF is much simpler, similar any program language information technology has a lawmaking for comments which is % , and then just put that after any line and append the PHP code .

              %PDF-1.two %<?phpinfo()?> ...            

Simplest approach

Surfing in the Spider web I've constitute something really cute , a repository with a huge listing with the "Smallest possible […] file", so I started to effort append PHP to some of that files.

Every bit it turns out, most of the files has a EOF of some kind to land that the file has ended, and most readers just ignores annihilation that is put later on that EOF. Here is four examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 nineteen 40 CD lxxx 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 40 CD eighty 00 40 CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 x 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������four� ���������@̀�@̀L���L���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 xviii C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.ii�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F x 10 eleven 10 0A 0C 12 13 12 10 thirteen 0F 10 10 10 FF C9 00 0B 08 00 01 00 01 01 01 xi 00 FF CC 00 06 00 10 x 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really sometime, merely everyone simply put in the EXIF, and I consider information technology adulterous.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F seventy 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

After that finding I started playing with something more hardcore. A GIF that is too a valid Python. None of the in a higher place "techniques" works considering you tin can't merely say to Python Interpreter where to start to run the code like PHP. Let's take some other look at some other GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������50�;            

Let'southward try a mistake based assay, what is the error that this file gives when run every bit a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax            

Information technology throws a syntax error at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader just require that the version is 89 or 87 ignoring the "a" role, so we can replace the "a" with a "=" and country that "GIF89" is a variable, that should be a overnice start. Permit'due south run again.

              $ python tinytrans.gif   File "tinytrans.gif", line one     GIF89=           ^ SyntaxError: invalid syntax            

Again , every bit expected. The first idea that I accept was to only annotate the gibberish role of the GIF and put a comment, but like at the PHP+GIF, that is a valid python and it was going to be fine. Just in the middle of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to brand something like this :

              GIF89=\ #[electronic mail protected][email protected]$!(@#@!_#)[email protected][email protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable announcement using the '\' and in the middle of it just commenting the Non-ASCII, afterwards that appending the '!þ' to first a GIF comment, jumping to another line and putting the actual code, following by the EOF's semicolon, which is likewise valid in Python.

But trying to make a comment in a multi-line variable declaration was but impossible, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 FE 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������Fifty�!þ __import__('os').system('ls'));            

Note that the interpreter will just ignore the line that starts with a Non-ASCII character, which is odd, then we don't need the # . And Running :

              $ python python.gif fustigate.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

tillettwoutiornow39.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post