Level 6: Bypassing image content verification

Let’s move on to the Level 6 section. 

Here, If we try to upload any file which contains PHP and HTML codes can easily be detected.

In this section, there's a function, called getimagesize() function, which basically reads a file, and returns the size of the image, if a correct image file is provided. In case an invalid file is thrown, then the getimagesize() function silently fails. The property of this function is used to verify if the file is an image or not.

However, there are techniques that can effectively lead to the bypass of this protection. Consider the following PHP code, which uploads the file when getimagesize() passes through and returns an error in case of an invalid image file is tried for upload:

<?php
$imageinfo = getimagesize($_FILES['uploadedfile']['tmp_name']);
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg') {
if(isset($_FILES['uploadedfile'])){echo "Sorry, we only accept GIF and JPEG images\n";}
exit;
}
$uploaddir = 'uploads/';
$uploadfile = $uploaddir . basename($_FILES['uploadedfile']['name']);
if (move_uploaded_file($_FILES['uploadedfile']['tmp_name'], $uploadfile)) {
echo "File is valid, and was successfully uploaded.\n";
} else {
echo "File uploading failed.\n";
}
?>
<?php if($uploadfile!= '') { echo "<a href=\"$uploadfile\">Uploaded</a>"; } ?>

However, there are techniques that can effectively lead to the bypass of this protection. We can easily bypass such checks by adding the Magic code of the same file extension.

You can find out the proper magic code below the link: 

List of file signatures - Wikipedia

needs additional citations for verification .improve this article by (Learn how and when to remove this template message ) adding citations to reliable sources. Unsourced material may be challenged and removed.


Copy the GIF signature code on "phpinfo.gif".

Now, the file should get uploaded without any problems. But, we will have to modify the file name to .php through Burp Suite.

Now, we shall go ahead and access the file. 

Look at that! Our valid GIF file containing our PHP script was uploaded successfully and was executed as expected. 

So, here, we've successfully defeated the getimagesize() function and uploaded our payload.

Tags

You may like these posts

Show more

Post a Comment

0 Comments
* Please Don't Spam Here. All the Comments are Reviewed by Admin.

If you have any doubts or any queries you can specify here.

#buttons=(Ok, Go it!) #days=(20)

Our website uses cookies to enhance your experience. Learn More
Ok, Go it!