How to Upload a Php File to Nginx

Six files that are also a valid PHP

Half dozen files that are as well a valid PHP and a Haskell GIF that is also a Python-Python-Python. The claiming was inspired by the PoC||GTFO Periodical'south idea of a polyglot file. The idea of having one file that has ii formats was interesting and somewhat useful to featherbed upload restrictions and execute the unexpected type of your file with some LFI. I've institute a repository with a huge list with the "Smallest possible's possible" listing.

And a GIF that is as well a Python

That history begins with me trying to brand a GIF that is also a valid Haskell, all that for a CTF claiming. Although was a pain in the ass to impale this challenge, the idea of having 1 file that has two format was actually interesting and somewhat useful to featherbed upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they dear the idea of a polyglot file, i of their issues is a PDF/Zip and NES ROM , and so I started with the simplest — and probably the only one that is useful — file format : PHP. Why is the simplest? Because you can state where the code starts with <? and where information technology ends with ?> , with that I tin put the PHP code anywhere in the file.

I already knew something about GIF, so let'south commencement with information technology. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a great place to outset :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

As explained in the blog post, that makes a 1x1 black gif and it should break considering it doesn't have the Global Colour Table, but it works because the readers does non follow the specification at risk. At present I want to put my PHP string somewhere in in that location. Reading the GIF89a Specification I've establish the Comment Extension which let u.s. to put a comment in the GIF at the stop of the file. Something similar that :

                              seven half-dozen five four 3 2 1 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   1  |      0xFE     |       Comment Label                 Byte      +---------------+       +===============+      |    <?         |   N  |    phpinfo(); |       Comment Data            Data Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Block Terminator              Byte      +---------------+            

So now we tin append our PHP code equally a comment in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 FE 3C 3F 70 68 lxx 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Note that !þ = 0x21 0xFE , and PHP doesn't require the ?> at the finish. Also GIF makes like shooting fish in a barrel for us having the EOF equally a semicolon.

PHP + PDF

Following the steps of PoC||GTFO permit'due south play with PDF. The plan nonetheless the same, get the simplest PDF possible and try to suspend a comment.

I had a problem with the first office of the plan, I employ OS X and his PDF reader is restrict equally fuck, almost every simple PDF that I've institute in the internet has some fault for the OS X's reader. The simply one that is all in ASCII and worked for me was this one: https://stackoverflow.com/a/32142316

              %PDF-one.2  nine 0 obj << >> stream BT/ nine Tf(Examination)' ET endstream endobj 4 0 obj << /Type /Folio /Parent 5 0 R /Contents ix 0 R >> endobj 5 0 obj << /Kids [iv 0 R ] /Count 1 /Type /Pages /MediaBox [ 0 0 99 ix ] >> endobj three 0 obj << /Pages 5 0 R /Blazon /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, like the Chrome's reader, and it should be actually smaller but it doesn't matter. PDF is much simpler, like any program linguistic communication it has a code for comments which is % , so just put that after any line and append the PHP code .

              %PDF-1.ii %<?phpinfo()?> ...            

Simplest approach

Surfing in the Web I've found something actually beautiful , a repository with a huge list with the "Smallest possible […] file", so I started to try append PHP to some of that files.

Every bit it turns out, most of the files has a EOF of some kind to land that the file has ended, and virtually readers but ignores anything that is put later on that EOF. Hither is four examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 40 CD 80 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 40 CD 80 00 xl CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 10 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������4� ���������@̀�@̀50���Fifty���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 xviii C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.ii�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D 11 0D 0E 0F 10 ten 11 ten 0A 0C 12 xiii 12 10 xiii 0F 10 10 10 FF C9 00 0B 08 00 01 00 01 01 01 xi 00 FF CC 00 06 00 10 10 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 lxx 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is really old, only anybody but put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 18 00 00 00 FF 00 3C 3F lxx 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

Afterward that finding I started playing with something more than hardcore. A GIF that is likewise a valid Python. None of the above "techniques" works because you can't just say to Python Interpreter where to beginning to run the code like PHP. Permit's accept another look at some other GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 eighty 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Let'south try a fault based assay, what is the error that this file gives when run every bit a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line one     GIF89a           ^ SyntaxError: invalid syntax            

It throws a syntax mistake at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader simply require that the version is 89 or 87 ignoring the "a" role, then we tin can replace the "a" with a "=" and state that "GIF89" is a variable, that should exist a nice first. Let's run once more.

              $ python tinytrans.gif   File "tinytrans.gif", line i     GIF89=           ^ SyntaxError: invalid syntax            

Over again , as expected. The commencement idea that I have was to only comment the gibberish role of the GIF and put a comment, merely similar at the PHP+GIF, that is a valid python and it was going to be fine. But in the middle of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to brand something like this :

              GIF89=\ #[email protected][email protected]$!(@#@!_#)[email protected][email protected]!þ\ __import__('os').system('ls');            

That is, a multi-line variable declaration using the '\' and in the eye of it just commenting the Non-ASCII, after that appending the '!þ' to start a GIF annotate, jumping to another line and putting the actual code, following by the EOF's semicolon, which is also valid in Python.

But trying to make a annotate in a multi-line variable announcement was but impossible, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 fourscore 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Fe 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������L�!þ __import__('bone').system('ls'));            

Notation that the interpreter will just ignore the line that starts with a Non-ASCII character, which is odd, so we don't need the # . And Running :

              $ python python.gif bash.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

stringeroung1953.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post