I always read, PHP applications are a security guy’s nightmare. Always thought why, Coming from a world of packets and frames code made lesser sense. Until I stumbled upon this application. The application was an Image gallery, with a lot of nice cool pics and an option to share and upload pics. This was a PHP application. Oh, it was fun!
I thought of playing with it. As soon as I checked the Image upload option, the security freak in me took over.
First Shot: Tried uploading a exe file to the application
Result: Failed (Error: You can only upload Image files)
Second Shot:Tried uploading a php file
Result: Failed (Error: You can only upload Image files)
So I knew will have to fiddle around with some options. Used the best friend of a web app hacker: a Web Proxy.
BURP was my tool of choice
Running Burp, I checked what travels and I saw this:
Content-Type: application/octet-stream
and I changed this to
Content-Type: image/jpeg
And here we go! I was able to upload whatever I wanted, from exe to jpeg images.
So what next? Uploaded the Php Web Broswer and browsed to it. As expected, I had a directory listing to all the files on the server!
I also uploaded PHP Shell which worked like a charm. It allows running commands interactively as if you are working on the cmd shell.
But, I wanted to upload some files to the server. I could have done that by changing the content type field and uploading the file. but I am too lazy for that!
So i uploaded Extplorer. eXtplorer is a nice tool. what more, it allows uploading files also! But, the security freak in me was not content with these files, I was looking to have full access to the windows box. So, I wanted the best of all WINDOWS PASSWORD, nothing beats having a windows admin password!
I also tried c99 php hacker shell It has a lot of features. If you want access to Database its a nice tool to use and it is easy to find DB user credentials when you have access to the site directory.
I uploaded Fgdump and called it from the browser. Soon, I had the admin hashes. Searched through rainbow tables and got the password! Pretty simple, eh? Ok, lets call it “Sweetgrape”.
Hmmm, but even that was not enough! I wanted to get full GUI access of the machine. That must be easy using some VNC server or a reverse listener, right?
For that wait for the next episode … …
16 July, 2010 at 5:56 pm
[...] the Security Musings blog today there’s a new post from Anurag that walks you through the process, step-by-step, of how he exploited an image gallery [...]
16 July, 2010 at 8:15 pm
What if your c99.php was denied by based on the filename extension? How would you get around that?
16 July, 2010 at 8:39 pm
@Indigo. If you are talking blacklisting/white listing based on the file names there are various ways to bypass that.Sometimes just entering …. after the file name work like c99.php……..
Sometimes the null character works well just make it c99.php%00.jpg.
Hope that helps
16 July, 2010 at 9:04 pm
This article’s title is misleading. It isn’t a security issue of PHP, but an obvious (and horrendous) mistake made by that particular gallery’s developer. Decent developers are perfectly aware that relying on the declared mime-type is just plain stupid.
16 July, 2010 at 11:53 pm
Being “aware” of the fact and actually doing something about it aren’t two things that go together well.
17 July, 2010 at 9:49 am
Surely it doesn’t matter what language was used here? The same security hole could appear no matter which language was used.
(I’m not a php fan boy by the way.)
17 July, 2010 at 4:50 pm
Couldn’t agree more with DeCendres. This has nothing to do with PHP. In fact web servers are setup in the way where only certain file extensions are rendered as PHP, and there is no way for a jpg image to run as a PHP script.
Instead, author should have removed extensions of files uploaded, and uploaded file names should’ve been hashed and forced a desired extension to the end of the file.. in this way no way this hack could’ve happened… another peace of mind, i always do so, is disable_functions in php.ini : if you are not using them just dusable – shell, shell_exec, proc ..etc..
18 July, 2010 at 8:55 am
Hello,
Yeah checking user supplied mime-type is really bad idea, if i were the developer i would start changing the way the file handle uploads and display.
First
The upload shouldn’t be on accessible directory, and should use some rewrite rules to make that happen
Second
I would try to make an replicated image from the uploaded file image using (createimgfrom*) and check if it was successful, these functions if i under stand correctly wouldn’t return true if the file is not an image, and i would check the image height & width using getimagesize.
Sorry for my bad english
19 July, 2010 at 12:13 pm
For start an average coder will always turn the PHP safe_mode functions ON [mod_security]. I have very rarely come across sites that have the safe mode OFF. This is more of a configuration issue than a php issue. Php gives you the tools to disable the shell exec
disable_functions = “exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec”
Like they say a helmet saves your life only when it is worn ! To wear it, is your choice !!!
Posted from a proxy
Cheers!!!!!