8

Testing a web application, I can upload GIF/JPEG files and I know there is a possible threat when including PHP Code properly in that GIF/Jpeg (because it is modified using imagecreatetruecolor and imagejpeg).

I was looking for an existing GIF file containing a simple PHP code (like phpinfo or echo 'hello world') just to validate that the threat was concrete.

What would be perfect is a specifically crafted GIF image containing PHP code in the middle OR in the palette color, but I was unsuccessful to find one.

halfer
  • 19,824
  • 17
  • 99
  • 186
Cyril N.
  • 38,875
  • 36
  • 142
  • 243
  • Neither of the functions you mention will run code. Where exactly did you hear about this supposed vulnerability? – Jani Hartikainen Nov 06 '12 at 11:58
  • http://seclists.org/fulldisclosure/2011/Jun/389 and http://php.webtutor.pl/en/2011/05/13/php-code-injection-a-simple-virus-written-in-php-and-carried-in-a-jpeg-image/ (the last one include a Jpeg "attack" file I tested, but without any luck (the header were removed) – Cyril N. Nov 06 '12 at 12:34
  • 1
    You could download [GIMP](http://www.gimp.org), create a simple image, and add your PHP code as comment. – Gumbo Nov 06 '12 at 18:31
  • Oh yeah, didn't thought about that :) – Cyril N. Nov 06 '12 at 19:44
  • But do you know if it's possible, using gimp, to modify the color palete of a GIF image by including a PHP code ? not only in comment? Or do I have a to use a specific product? – Cyril N. Nov 06 '12 at 19:55
  • 1
    The global color map can hold up to 256 colors of 24 bit depth (8 bit for each RGB channel). That results in 768 byte space for your PHP payload. Just create an image with indexed colors and insert your payload into the resulting image with a hex-editor. – Gumbo Nov 06 '12 at 21:23
  • Interesting. I'm guessing if adding a at the end of the gif image is not resulting as showing the phpinfo on the server, it means having the same code in the color palette will also result in a non execution of the php code in that same server? Am i guessing right? – Cyril N. Nov 06 '12 at 21:53
  • No, it works, I’ve just tested it with PHP 5.3.2. – Gumbo Nov 07 '12 at 17:24

1 Answers1

7

I'll answer myself for the jpg link file containing PHP code execution, but if someone else provide a more complete answer, I'll offer the accepted check ;)

Here's a link to a "compromised" JPEG file containing PHP exploit code (phpinfo)

(don't worry, the file won't do anything to you)

Moreover, it's important to notice that even if you succeed into uploading a gif file containing php code, if that gif file is read as gif (and not executed as php, via include/require, or a badly configured server), it won't do anything, just have php code on your server, useless.

So in order for this attack to work, you need to have two conditions :

  1. The website must use a fileupload at some point that you can access
  2. The files stored must be executed via PHP, even the image files (in that case).

Although the 1. is quite easy to have, the second is near impossible nowadays. The default configuration for PHP is to run the PHP interpreter only for .php files, either using NGinx, Apache, Lighttpd, etc.

In conclusion, this vector of attack is really low in probability of success.

Cyril N.
  • 38,875
  • 36
  • 142
  • 243
  • 1
    According to this article it is very possible https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/ – senyor Nov 17 '17 at 20:45
  • This link used in this repsonse is no longer available; DNS_PROBE_FINISHED_NXDOMAIN – Cagy79 Apr 06 '19 at 22:14