Best IT Recipes

Is it possible to execute PHP with the file.php.jpg extension?

The file for downloading the site image_upload.php used to download the file 89471928047.php.jpg . It was a simple file upload form that copies a tmp file to the same image folder. How did they manage to execute it and load other files into it. Does anyone know how this is possible? PHP version was 5.1.6 , which is updated exactly an hour ago or on a schedule with the host to 5.3.8 ... what a, coincidence?

+10
security php
Nov 06 2018-11-11T00:
source share
3 answers

Check the .htaccess file

Using AddType in your .htaccess file, you can add many other extensions from which you can run PHP. As a rule, .html extensions can be used when using PHP inside themselves. So yes, maybe:

 AddType application/x-httpd-php .jpg

You can check it if you want.

  • Create a directory with two files: .htaccess and test.php.jpg
  • Set .htaccess content to AddType application-x-httpd-php .jpg
  • Set the contents of test.php.jpg to <?php echo 'foo'; ?> <?php echo 'foo'; ?>
  • Access test.php.jpg via localhost

If everything goes as planned, "foo" is displayed. You can expand it to move /tmp files if you want.

Definitely what you want to be very careful with.

Check open calls to enable / require

Another way this could be done is to call require() or include() (or any of the _once() methods), which the hacker was able to load into his badfile.php.jpg file, which was loaded as an innocent image:

 <?php include $_GET["file"]; ?>

In the above example (a simplified example), a hacker can go along the path to his .php.jpg file and download its contents and process it as PHP code.

Other (scary) ideas

Requiring, including associated methods is not the only way to process external scripts - unfortunately, you can also use eval() . I would hope you did nothing. If you had any scripts on your server that used any one of the file functions to read the contents of another script and then eval() to evaluate this content as PHP, this could also provide a vulnerable security hole in your website.

+14
Nov 06 2018-11-11T00:
source share

Your image_upload.php unsafe, check the following:

  • Does it allow only image extensions? Otherwise, you can directly download the PHP file. (I think you are embraced by this, but double check).
  • checks if the downloaded file is an image? There is no answer, it does not check the contents. Add this check! With this single step, you will close the initial violation.

To check if this image can, you can run getimagesize in the file, it will return FALSE if it is not an image.

How can I execute this file? First, how do you know that it was completed? Have you seen any side effects?

  • One way is that they can have fake other files
  • In a second way, it is perhaps more likely that they used the non-minefield inputs from your scripts to enable or modify the code. In this case, you can find evidence only by looking at the magazines.

How to watch magazines?

Check the date and time of the downloaded file and start looking for suspicious activity there (look at the strange parameters of the URL). When you find one or more IP addresses doing evil things, grep a log for these (those) IP addresses to see the whole story.

Another important information you know: do you write a site or use a CMS or similar, in which case, what is it and what version? You must check for published vulnerabilities and update in case.

+7
Nov 06 '11 at 5:16
source share

The problem is because your server uses /etc/httpd/conf.d/php.conf by default:

 rpm -ql php-5.1.6-39.el5_8 /etc/httpd/conf.d/php.conf /usr/lib64/httpd/modules/libphp5-zts.so /usr/lib64/httpd/modules/libphp5.so /var/lib/php/session /var/www/icons/php.gif

The contents of / etc / httpd / conf.d / php.conf:

 # # PHP is an HTML-embedded scripting language which attempts to make it # easy for developers to write dynamically generated webpages. # <IfModule prefork.c> LoadModule php5_module modules/libphp5.so </IfModule> <IfModule worker.c> # Use of the "ZTS" build with worker is experimental, and no shared # modules are supported. LoadModule php5_module modules/libphp5-zts.so </IfModule> # # Cause the PHP interpreter to handle files with a .php extension. # AddHandler php5-script .php AddType text/html .php

Pay attention to the last line of AddHandler php5- script.php. This causes this problem and requires replacing a more secure configuration.

You can learn more about this and how to apply the fix here (see the last answer):

http://core.trac.wordpress.org/ticket/11122

also see this:

https://bugzilla.redhat.com/show_bug.cgi?id=885839

+7
Dec 12 '12 at 17:02
source share


More articles:


All Articles