-5

I came across a ctf challenge where php file upload was restricted but phpp and phP were not. What other formats can php be uploaded in and what is the difference?

Luc
  • 31,973
  • 8
  • 71
  • 135
Aayush
  • 557
  • 6
  • 17
  • 5
    Are phpp and phP different *formats* or just file name extensions? This is not looking like a php question but a filter question on that particular upload function. – schroeder Jul 15 '18 at 12:25

3 Answers3

2

Like a usual CTF challenge, the idea is that someone set something up but there is a vulnerability in it. Your goal is to get the flag, and since you can upload a file, you probably have to get your code to run on the server (so it can list files in the directory and read the flag file).

If you can upload <?php echo `ls`; in example.php on the server, the server will probably execute the file when you open the URL. Apparently, someone tried to prevent users from uploading files with the .php extension. But as you've noticed, a file ending in .phP is fine. The programmer probably did something like this:

if (substr_count($filename, ".php") != 0){ reject upload; }

So you can't upload .php files... but the web server doesn't care if it's called .php or .PHP or .phP: its configuration just says that anything ending in .php (case-insensitive) should be executed as if it were PHP code. The extension is just part of the filename, so the contents are still the same, only the name is different. If you feel like it, you can put PHP code in a file called example.aayush and configure Apache or Nginx to execute .aayush files as PHP code. And since they are typically case-insensitive, you can then also run .Aayush files the same way.

Hope this helps in solving the challenge!

Or, if you want to know how to fix this vulnerability, see questions tagged: .

Luc
  • 31,973
  • 8
  • 71
  • 135
0

Well, I have also noticed this behavior. As @schroeder mentioned in the comments at first I also thought it had to do with the upload function but then I decided to try out some tests. So for example if we have a php file called test.php and contains the following code:

<?php echo shell_exec('whoami'); ?>

If we try to execute it with php test.php (assuming php is installed) then it will be successfully executed. Now the strange part indeed is that if we change the extension it still works. Here's a POC that automatically changes the extension and tries to execute the file:

#!/bin/bash

# file with some possible extensions...
declare -a extensions=("test.phP" "test.PHp" "test.asdfphp" "test" "test.txt")

tmp='test.php'
for ext in "${extensions[@]}";do
    echo -e "Renaming file to $ext and try to execute it..."
    mv $tmp $ext; php $ext
    tmp=$ext
done

So all those file-extensions are executed properly. The results of the above script are:

Renaming file to test.phP and try to execute it...
username
Renaming file to test.PHp and try to execute it...
username
Renaming file to test.asdfphp and try to execute it...
username
Renaming file to test and try to execute it...
username
Renaming file to test.txt and try to execute it...
username

Now even if we remove the php keyword from the <?php tag in test.php file, or even remove the last closing tag ?> the script is still valid php code (as @AndrolGenhald correctly pointed out in the comments that's due to PHP short tags) and will still be executed properly. So I guess that php checks the file and if it's a valid php content it will be executed. Though I searched and I didn't find my assumption documented, so if anyone knows that the above assumption is indeed correct please post a link :)

game0ver
  • 585
  • 4
  • 12
  • 1
    This is due to [PHP short tags](https://secure.php.net/manual/en/language.basic-syntax.phptags.php), whose use aren't recommended for compatibility reasons. Omitting the last close tag has always been possible (afaik) and is very common. – AndrolGenhald Jul 15 '18 at 14:36
  • Yes, I know it's valid php but I didn't know it was called short tags in the documentation, but thanks for noticing - I'll edit the answer to make it more clear. What I can't find documented though, is why php accepts all those different extensions. It's like ignoring the extension and I can't find nothing in the PHP documentation. – game0ver Jul 15 '18 at 14:58
  • 1
    When you call `php filename` it doesn't check the extension. But the webserver will call **different** processors based on filename. Commonly php will be involved if the extension is `php` or `phps`. PHP content in a html file will not be interpreted with the default configuration. Thus this answer, while correct, isn't really a answer to the question in my opinion. – vidarlo Jul 15 '18 at 18:46
  • @vidarlo I agree, **but** the weird thing is that the same behavior also occurs with e.g. `python` (_I tested locally not on server-side_). I've noticed in the past that if you rename a .py file to sth else (_except for .pyc_) it will also run. I think it must have to do with the interpreter implementation, both for python and php and probably with other scripting languages too, but since I don't know interpreter internals I can't really support my assumption. – game0ver Jul 15 '18 at 19:51
  • 2
    It doesn't care about the extension. Why should it? Unix has no tradition of extensions, generally speaking. It treats the filename given as a program source to be read, and that's it. – vidarlo Jul 15 '18 at 20:04
  • @vidarlo Yep, almost, e.g. you can't run a .pyc file that contains python code. I also agree with what you said, which is BTW my answer's assumption, I just can't prove it. – game0ver Jul 15 '18 at 20:06
-1

What other formats can PHP be uploaded in?

Assuming you mean file extension and not format, any file extension that is both allowed by the upload code and identified as a PHP script by the PHP server's configuration (Apache httpd's PHP module or PHP-FPM) may be executable. For example, if the server is configured to execute *.php* files, files ending in .php, .php7, and normally invalid ones such as .phpp may be executed.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42