PHP: Please Hack Pal.

I always read, PHP applications are a security guy’s nightmare. Always thought why, Coming from a world of packets and frames code made lesser sense. Until I stumbled upon this application. The application was an Image gallery, with a lot of nice cool pics and an option to share and upload pics. This was a PHP application. Oh, it was fun!

I thought of playing with it. As soon as I checked the Image upload option, the security freak in me took over.

First Shot: Tried uploading a exe file to the application

Result: Failed (Error: You can only upload Image files)

Second Shot:Tried uploading a php file

Result: Failed (Error: You can only upload Image files)

So I knew will have to fiddle around with some options. Used the best friend of a web app hacker: a Web Proxy.

BURP was my tool of choice

Running Burp, I checked what travels and I saw this:

Content-Type: application/octet-stream

and I changed this to

Content-Type: image/jpeg

And here we go! I was able to upload whatever I wanted, from exe to jpeg images.

So what next? Uploaded the Php Web Broswer and browsed to it. As expected, I had a directory listing to all the files on the server!

I also uploaded PHP Shell which worked like a charm. It allows running commands interactively as if you are working on the cmd shell.

But, I wanted to upload some files to the server. I could have done that by changing the content type field and uploading the file. but I am too lazy for that!

So i uploaded Extplorer. eXtplorer is a nice tool. what more, it allows uploading files also! But, the security freak in me was not content with these files, I was looking to have full access to the windows box. So, I wanted the best of all WINDOWS PASSWORD, nothing beats having a windows admin password!

I also tried c99 php hacker shell It has a lot of features. If you want access to Database its a nice tool to use and it is easy to find DB user credentials when you have access  to the site directory.

I uploaded Fgdump and called it from the browser. Soon, I had the admin hashes. Searched through rainbow tables and got the password! Pretty simple, eh? Ok, lets call it “Sweetgrape”.

Hmmm, but even that was not enough! I wanted to get full GUI access of the machine. That must be easy using some VNC server or a reverse listener, right?

For that wait for the next episode … …


9 Responses to “PHP: Please Hack Pal.”

  1. Security Musings: PHP: Please Hack Pal. | Development Blog With Code Updates : Says:

    […] the Security Musings blog today there’s a new post from Anurag that walks you through the process, step-by-step, of how he exploited an image gallery […]

  2. Indigo Says:

    What if your c99.php was denied by based on the filename extension? How would you get around that?

  3. Anurag Says:

    @Indigo. If you are talking blacklisting/white listing based on the file names there are various ways to bypass that.Sometimes just entering …. after the file name work like c99.php……..

    Sometimes the null character works well just make it c99.php%00.jpg.

    Hope that helps

  4. DeCendres Says:

    This article’s title is misleading. It isn’t a security issue of PHP, but an obvious (and horrendous) mistake made by that particular gallery’s developer. Decent developers are perfectly aware that relying on the declared mime-type is just plain stupid.

    • zorbius Says:

      Being “aware” of the fact and actually doing something about it aren’t two things that go together well.

  5. iainp999 Says:

    Surely it doesn’t matter what language was used here? The same security hole could appear no matter which language was used.

    (I’m not a php fan boy by the way.)

  6. M. Mamedov Says:

    Couldn’t agree more with DeCendres. This has nothing to do with PHP. In fact web servers are setup in the way where only certain file extensions are rendered as PHP, and there is no way for a jpg image to run as a PHP script.

    Instead, author should have removed extensions of files uploaded, and uploaded file names should’ve been hashed and forced a desired extension to the end of the file.. in this way no way this hack could’ve happened… another peace of mind, i always do so, is disable_functions in php.ini : if you are not using them just dusable – shell, shell_exec, proc ..etc..

  7. eClare Says:


    Yeah checking user supplied mime-type is really bad idea, if i were the developer i would start changing the way the file handle uploads and display.


    The upload shouldn’t be on accessible directory, and should use some rewrite rules to make that happen


    I would try to make an replicated image from the uploaded file image using (createimgfrom*) and check if it was successful, these functions if i under stand correctly wouldn’t return true if the file is not an image, and i would check the image height & width using getimagesize.

    Sorry for my bad english 😛

  8. YouKnowME Says:

    For start an average coder will always turn the PHP safe_mode functions ON [mod_security]. I have very rarely come across sites that have the safe mode OFF. This is more of a configuration issue than a php issue. Php gives you the tools to disable the shell exec

    disable_functions = “exec,system,passthru,readfile,shell_exec,escapeshellarg,escapeshellcmd,proc_close,proc_open,ini_alter,dl,popen,parse_ini_file,show_source,curl_exec”

    Like they say a helmet saves your life only when it is worn ! To wear it, is your choice !!!

    Posted from a proxy 🙂

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: