Sie sind auf Seite 1von 5

Helloall

todayimgoingtowriteaboutaninterestingvulnerabilityivefoundinSquaresAcquisition
website

bookfresh.com
thatwasescalatedtoremotecodeexecution.

thestorystartedwhenisawthatBookfreshbecameapartofSquarebugbountyprogramat
Hackerone
.idecidedtotakealookatandstartfindingsomevulnerabilities.ivefoundthat
thewebsiteisvulnerabletomanyXSSbutiwaslookingforsomethingbiggerlikeSql
InjectionorRCE.

sowhileiwascheckingforsqlinjectionbugsinavigatedtotheprofilepageandfoundthereis
afileuploadformtouploadyourprofilephoto.atthefirstmomentididntexpecttofindany
vulnerabilityinthatuploadfunctionalitybutidecidedtogiveitatrymaybeicouldbelucky.

iuploadedajpgimagefilewhileinterceptingthehttprequestthenichangedthefilename
extensionfromjpgtophpandforwardedtherequest.isurprisedthattheimagewas
uploadedwiththephpextension.ididntbelievemyeyessoicopiedtheimagelinkand
openeditinthebrowser.itdisplayedtheimagebinarydataasyouwereopeningtheimagein
atexteditorwhichmeansitwassuccessfullyexecutedasphpscriptandtheresponse
contenttypewassettotext/html

sothisisasimpleanddirectfileuploadbypass,right ?

allihavetodoistoinjectmyphpcodeinthejpgfileandgetfastremotecodeexecution.soi
usedasimplephpcode
<?
phpinfo
()?>
andinjecteditintotheEXIFheadersofjpgimage
thenuploadedtheimagebutwhenivieweditagainnophpcodewasexecutedandnothing
happened!

soisavedtheimagetomycomputerandexecutedstringscommandtoseeifitstillhavethe
phpinfo()
code,howevertheresultsreturnednone!!

ItturnedoutthatallEXIFmetadatawasdeletedfromtheimageafteruploadingittotheserver
andtheimagewasconvertedusingthe
GD
libraryinphpusingthe
imagecreatefromjpeg()
function.

sothisseemsnotexploitableusingexifdata,butwhatwillhappenifiinjectedmyphpcode
intotheimagedataitselfnottheEXIFmetadata?ithoughtthatwouldwork!soitriedtoopen
thejpgfileandinjectthephpcodeattheendofthefileasthefollowing

theimagewasstillvalidandworkingonmycomputer,afterthatiuploadedtheimagefile

1.jpg

buttheresultswaslikethefollowing:


itdisplayederrormessage

Filemustbeavalidimage(.gif,.jpg,.jpeg,or.png)
,iwas
surprisedhowitdetectedthattheimagewasntvalidimagewhiletheimageisworkingonmy
computersoitriedwithsomeotherjpgfilesanditturnedoutthatmodifyingasinglecharacter
inanyofthosejpgimageswontbeacceptedbyphpgdlibraryasavalidimageandwillnot
beuploaded.

afterthatitriedthesamethingwithgifimageanditworkedlikeacharmandtheimagewas
uploadedsuccessfullywithoutthrowinganyerrors,butwhenitriedtochecktheimageafter
uploadingit.ifoundthatmyphpcodewastotallyremovedfromit

itriedagaintoinjectthephpcodeintoothergifimagesandindifferentplacesintheimage
butthephpcodewasgettingremovedafteruploadingit.
thatlookstotallyunexploitable,butimonlyonestepawayfromgettingRCE,soishouldfind
awaytouploadmyimagewiththeinjectedphpcodeandbypassthe
imagecreatefromgif()
function.idontknowalotaboutimageprocessingandhowthephpGDworksbutitriedto
dothatwithsimpleoldschoolway.

icamewithanideatocomparethegifimagesbeforeandafteritgetconvertedusingphpgd
andsearchforanysimilaritybetweenthem,soififindasimilarpartintheoriginalfilethat
waskeptalsoafterconvertingusingthephpgdthenicaninjectmyphpcodeinthatpartand
getRCE

idecidedtotrythis,soicodedapythonscriptthatwillcomparetheimagesbeforeandafter
convertingandcheckforanysimilaritybetweenthem.thenisearchedinmycomputerforall
thegifimagesandcopiedthemallinonefolder,afterwardsiwroteaphpscriptthatwilltake
allthegifimagesinthatfolderandregeneratethemusingthephpgd
imagecreatefromgif()
functionandsavethemintoanotherfolder
theniusedthepythonscripttocomparethefilesandcheckforanysimilar13byteswhichwill
bethelengthof
<?
phpinfo()
?>
intheoriginalandtheconvertedgifimagefiles,andthe
resultswasreallyawesome ,ivefoundgifimagewithabigsimilaritiesafteritwas
convertedusingphpgd.

thevalueswererepresentedinhex,soiopenedtheoriginalimagefileusingahexeditorand
searchedforaoneofthosematchedvalues
3b45d00ceade0c1a3f0e18aff1
andmodifiedit
to
<?
phpinfo
()?>
,savedthefileandconverteditwithphpgdthenthencheckedthestrings
inthefile.
andguesswhat?
thephpcodewasstillthere

iuploadedthegifimagetobookfreshandthatwastheresult


phpcodeexecutedsuccessfullyandivegotRCE

thetricksuccessfullydefeatedthePHPGD
getimagesize()
and

imagecreatefromgif()
functionsthatareusedbymanywebdevelopersnowdaystovalidateimageuploads.

ivereportedthevulnerabilitytosquaresecurityteamtheyreleasedafastfixforthe
vulnerabilitybutiwasabletobypassitagainsoigavethemmyrecommendationsfora
completefixandtheyapplieditandpaidmeaverynicebountyforthisbug