2

I'm trying out random older WordPress exploits on my local server, I'm currently in the process trying to get this one to work:

https://www.exploit-db.com/exploits/20083/

It doesn't read any headers, just seems to filter file extensions. I am able to upload {Filename}.php.jpg files as mentioned in the specified URL above. But what caught my curiosity was; 

Plugin does not properly filter filetypes, which allows for the upload of filetypes in the following format: 
filename.php.jpg
Vulnerable hosts will serve such files as a php file, allowing for malicious files to be uploaded and executed.

Opening the JPG just makes my browser throw an error, not seeing it as a valid image.

Which leads me to my question

Why would a server ever serve a JPG as PHP? (without editing .htaccess or php require())?

Stella
  • 123
  • 3
  • Have a look at [Files with Multiple Extensions](http://httpd.apache.org/docs/2.2/mod/mod_mime.html#multipleext). – Gumbo Jun 06 '15 at 11:52

1 Answers1

1

This behavior is not directly linked to this exploit, but by a weak web server configuration.

For instance:

  • Apache offers through mod_mime the possibility to serve files with multiple extension. This extension is designed to serve the same way files such as welcome.html.fr or welcome.fr.html (ie. french version of the welcome.html file). However it can be tricked to interpret myuploadedfile.php.jpg as a PHP script...
  • Nginx offers a virtual directory system allowing to have virtual sub-directories below a dynamic script. For instance, a URL like /agenda.php/2015/june/6 will execute the file agenda.php (SCRIPT_FILENAME) with /2015/june/6 as parameter (PATH_INFO). However you may trick him to execute your uploaded file (which does not even need to have include the .php extension) by using a URL such as /myuploadedfile.jpg/anything.php: it will be accepted as a PHP script due to the .php extension, then the URL will be divided into SCRIPT_FILENAME and PATH_INFO as described above, and finally the order will be given to the PHP interpretor to execute myuploadedfile.jpg content.
WhiteWinterWolf
  • 19,082
  • 4
  • 58
  • 104
  • This cleared a lot up, you have my gratitude. Am I correct to assume that I would not be able to abuse these particular exploits on my server unless I configure my environment to do so? Eg. mod_mime (Assume my environment has default configurations with nothing but the latest WordPress and the upload plugin.) – Stella Jun 06 '15 at 12:12
  • Yes, you are correct. Hopefully servers are usually installed with safe defaults :), most of such issue comes from old, historical configuration... – WhiteWinterWolf Jun 06 '15 at 12:42
  • In case anyone is interested, there's a follow up question to this answer there: https://security.stackexchange.com/questions/218081/how-can-nginx-run-a-file-with-jpg-extension-as-php-file – Anders Sep 17 '19 at 10:31