Special upload skills bypass PHP image conversion for Remote Code Execution (RCE)

Special upload skills bypass PHP image conversion for Remote Code Execution (RCE)

I used a special Image Upload technique, bypassing the PHP GD library to convert images, and finally successfully implemented remote code execution.

This is the case. At that time, I was testing whether the website had the SQL injection vulnerability. I accidentally found a file upload form for uploading portraits on my personal page. At the beginning, I didn't expect to discover the vulnerability in the upload function, but I decided to try it.

I uploaded an image file, truncated the http packet, modified the file name suffix of the jpg image to php, and then continued the upload. I was surprised that the upload was successful. I almost couldn't believe that such a simple vulnerability exists. So I copied the image url and opened it in the browser. What I see is the binary code of the image, which means that the image is parsed in php and returned in text/html format according to the content-type in the response packet.

What I want to do now is to inject php code into the jpg file for remote code execution, so I try to run the Code <? Phpinfo ();?> Write the image into the EXIF header, but the tragedy is that the php code is not executed when the file is uploaded again.

The test is performed on the local machine and the result is still invalid-the code is not executed

After uploading the code to the server, the code in EXIF is deleted. The application calls the php gd library (GD library, an extension library for php to process graphics) through the imagecreatefromjpeg () function ), the image is converted. So what if the code is not injected into the EXIF header but into the image?

 

The local test passes through, but when I upload the upload 1.jpg "to the server, the following results are returned:

 

An error is reported when the following figure shows the images (.gif,. jpg,. jpeg, or .png. I tested some other jpg files and found that modifying any image character will cause an error in the php-gd library and cause upload failure.

Next, I performed the same operation using the GIF image. The result is: The image is uploaded successfully, but the php code in the image is completely deleted.

Although this seems incredible, I cannot give up, because it is only one step away from successful use of Remote Code Execution (RCE), and I have to bypass the imagecreatefromgif () function. I know little about image processing and php GD library running, but this does not affect my use of some traditional penetration testing methods.

I thought of a method: compare two GIF images converted through the php-gd library. If there are similarities, this proves that the image data will not be converted. Then, I can inject code into this part of the image file to implement remote code execution. I even admire my wit!

 

I opened the image file in the hexadecimal editor and found that the same hexadecimal string "3b45d00ceade0c1a3f0e18aff1" is still maintained before and after the php conversion, and changed it to <? Phpinfo ()?>.

 

Save the image and upload it to the server:

My PHP code was executed, and I finally successfully implemented remote code execution.