.

PHP in GIF file.

<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon Jul 25, 2011 8:06 am

PHP in GIF file.

Hi again.  I'm trying out the exploit http://www.exploit-db.com/exploits/16181/.
I made a PHP payload in meterpreter (which works) and want to upload it to my wordpress site using the vuln described in exploit-db.

I edited the file header with the hex code provided in the exploit provided as so:
Image

Then I'm using Webscarab to intercept the POST command and edit the content-type to "image/gif".  The file im uploading is ofcourse .php file.
The upload is somewhat successful as i don't get the usual error message telling me its the wrong filetype:

Image

However, when checking my directory there are no files being uploaded.
Does anyone know the reason for this?  I don't think its the filesize as my payload (php) is 1.28K.  Did i miss someting?

Im thinking im missing some size definition of my picture maybe?
Last edited by jonas on Mon Jul 25, 2011 8:25 am, edited 1 time in total.
<<

j0rDy

User avatar

Hero Member
Hero Member

Posts: 591

Joined: Tue Feb 23, 2010 4:55 am

Location: Netherlands

Post Mon Jul 25, 2011 11:44 am

Re: PHP in GIF file.

whats the full name of the file that you try to upload? it may be possible the application does not accept .php files (even with modified content-type). try something like evil.php.gif or evil.php%00.gif...good luck!
CISSP, CEH, ECSA, OSCP, OSWP

earning my stripes appears to be a road i must travel alone...with a little help of EH.net
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon Jul 25, 2011 12:47 pm

Re: PHP in GIF file.

Hi again.

i just tested renaming the file to gif and it works.  So there is something wrong with my content type change i guess.
Last edited by jonas on Mon Jul 25, 2011 1:00 pm, edited 1 time in total.
<<

hell_razor

User avatar

Jr. Member
Jr. Member

Posts: 90

Joined: Wed Jul 14, 2010 10:44 am

Post Mon Jul 25, 2011 12:58 pm

Re: PHP in GIF file.

Why not download a file that is already appropriate (read an avatar or whatnot) and open it in a hex editor and still the header portion?
A+, Network+, Server+, CISSP, GSEC, GCIH, GPEN, GCIA, GISP, GCFW
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jul 25, 2011 1:10 pm

Re: PHP in GIF file.

If all of the files you upload, are not stored on the webserver, then you need to make that directory writeable, and possibly also check who's the owner of that directory if you're on Linux. (It's quite important if you don't run Apache workers as root, which wouldn't be very smart to do hehe  ;) )

As the others said, to execute a GIF file as PHP, you would need to have one of the following conditions in order: (This is just a few examples, not a complete list.)
1) Be able to upload a file like image.gif.php (or for that sake image.php%00.gif)
2) Include the GIF file, in a PHP script which evaluates the code (often include() or require() is vulnerable.). In this case, the file extension can be image.gif without any extra .php or similar extensions after .gif
3) Force "php" on the target to execute your image.gif file as a php script. (Unlikely, because if you control "php" on the target, you probably got shell access already.)
I'm an InterN0T'er
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Mon Jul 25, 2011 1:46 pm

Re: PHP in GIF file.

1. I am allowed to upload .jpg/.gif etc to that folder as it is a profile picture plugin, and with regular pictures it works.  The files appear in the folder.
2. If i try upload anything else i get an error saying its the wrong format.
3. If i change the content header in the media stream upon upload (file extension is .PHP) it say that the picture was uploaded and awaiting for confirmation. Which probably means that it passed the "extension" check and all should be good. However, the file is not there.
4. I uploaded a jpg pic now, downloaded the processed picture and added my shell code to the end of it.  Using the content header i can upload it no problems.
Although it does not end up in the directory.

If you read the exploit description this upload method should work.  BUT i am doing somethig wrong ofcourse since its not working...

THANKS for all the input so far!
<<

tturner

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Thu Jun 26, 2008 4:50 pm

Post Mon Jul 25, 2011 2:21 pm

Re: PHP in GIF file.

Is there a reason you think the existing Wordpress install is a vulnerable version? That sploit is 5 months old and may have been patched...
Certifications:
CISSP, CISA, GPEN, GWAPT, GAWN, GCIA, GCIH, GSEC, GSSP-JAVA, OPSE, CSWAE, CSTP, VCP

WIP: Vendor WAF stuff

http://sentinel24.com/blog @tonylturner http://bsidesorlando.org
<<

MaXe

User avatar

Hero Member
Hero Member

Posts: 671

Joined: Tue Aug 17, 2010 9:49 am

Post Mon Jul 25, 2011 3:45 pm

Re: PHP in GIF file.

As tturner was referring to below, have you installed the plugin / extension as well? ( http://wordpress.org/extend/plugins/user-photo/ ), and of course, the vulnerable version? I know it's a stupid question, but you won't be able to exploit a patched version. (Naturally, I just want to confirm.)

tturner wrote:Is there a reason you think the existing Wordpress install is a vulnerable version? That sploit is 5 months old and may have been patched...



So, your exploit should work, if you run the right / same versions as the researcher did. Because the exploit is verified, so it's guaranteed to work, on vulnerable versions that is. So make sure you grab the vulnerable version in case you haven't, and retry everything in the proof of concept.

I don't have that much more comments, except that you should of course be doing this on your own server, so you can easily see what happens, but one thing you should be aware of, are errors ment to be in PoC's. I can't see any obvious ones in this, but potentially it could be there. (To prevent common abuse.)  ;)
I'm an InterN0T'er
<<

jonas

Newbie
Newbie

Posts: 46

Joined: Mon Jun 08, 2009 9:04 pm

Post Tue Jul 26, 2011 4:54 am

Re: PHP in GIF file.

I appreciate the level of confidence being shown in regards to my intellect! :D
The screenshot posted is the plugin functionality, and im using the plugin version specified in the exploit tturner.  I can't see where i have specified using the newest plugin version, as this obviously would be patched.

I will be trying some more and update if i find a solution.

Return to Web Applications

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software