bypassing PHP image upload conversion to implement remote Code Execution (RCE) risk

I used a special image upload techniques, bypassing the PHP GD library of the image conversion processing, and finally successfully implemented the remote Code execution.

That's the thing. I was testing the site on whether there is a SQL injection vulnerability, inadvertently I found a personal page on the site to upload a picture of the file upload form. I didn't expect to find a loophole in the upload function at first, but I decided to try it.

I uploaded a picture file, by truncating the HTTP packet, modifying the filename suffix of the jpg image to PHP, and then continue uploading. I was surprised to upload successfully, I can hardly believe that such a simple loophole actually exists. So I copied the picture URL and opened it on the browser. Entering my eye is the binary code of the picture, which means that the picture is parsed in PHP and returned in text/html format according to the Content-type in the response package.

What I'm going to do now is inject PHP code into the JPG file for remote code execution, so I try to write the code into the Exif head of the picture, but the tragedy is that the PHP code is not being executed.

Test on this machine, the result is still invalid--the code is not executed

After uploading to the server, EXIF code has been deleted, the application through the Imagecreatefromjpeg () function called PHP Library (GD library, PHP processing Graphics extension Library), the picture was converted. So what if you don't inject the code into the EXIF header but inject it into the picture?

The native test passed, but when I uploaded "1.jpg" to the server, I returned the following results:

The error says "file must be a valid picture (. gif,. jpg,. jpeg, or. png)", I marvel at how the application is judged to be illegal. I tested some other JPG files, and found that modifying any one of the image characters would cause the PHP-GD library to be incorrectly judged, which would result in an upload failure.

Next I did the same thing with a GIF image, and the result was that the picture was uploaded successfully, but the PHP code in the picture was completely deleted.

While this may seem incredible, I can't give up because it's only a step away from successfully using remote code Execution (RCE) and I have to bypass the Imagecreatefromgif () function. I know very little about the processing of pictures and the operation of PHP's GD library, but this does not affect my use of some traditional penetration testing methods.

I came up with a way to compare two GIF images that had been converted through the PHP-GD library, and if there were similarities, this would prove that some of the picture data would not be converted. Then I can inject the code into this part of the picture file, and finally implement the remote code execution. Even I admire my wit!

As pictured, I opened the picture file with the hexadecimal editor, found the hexadecimal string "3b45d00ceade0c1a3f0e18aff1" that remained the same before and after the PHP conversion, and modified it for.

Save the picture and upload it to the server:

My PHP code was executed, and I finally managed to implement remote code execution.