![]() ![]() We have to generate a new image, this time with the help of PHP. Let's see what we can do with the structure of this chunk. PLTE chunk is responsible for storing the information about colour palette used in the image. In the rest of this article, we'll talk about the chunks which won't be modified by imageCreateFromPng and imagepng functions. As you have seen above, not every chunk is a perfect candidate to smuggle our payload. The reason of this is that all textual chunks are optional. ![]() Unfortunately, our PHP payload did not survive imagepng function processing. PNG file after imagepng processing, without payload Run our server script (code is available in the first paragraph) and check what happens with the payload. :~/image-ip/png$ identify -verbose example.png | grep comment Generate the sample file and validate it via ImageMagick : :~/image-ip/png$ convert -comment "" -size 10x10 xc:white example.png Its purpose is to store text in the PNG file. This chunk seems to be a perfect candidate for our test. The first what comes into mind is an extension chunk called tEXt. In this blog post, we'll consider if there are more chunks which may happen to be useful to smuggle PHP payload.īesides critical chunks there are also extensions chunks that have various types and uses. Ī sample research about particular iDAT chunk is extensively described in " Encoding Web Shells in PNG IDAT chunks" article. Only one IHDR chunk and one IEND chunk are allowed in a PNG datastream. Ī valid PNG datastream shall begin with a PNG signature, immediately followed by an IHDR chunk, then one or more IDAT chunks, and shall end with an IEND chunk. It loads an example.png file via imageCreateFromPng function, processes it with imagepng function and saves the results to a new.png file. PNGĮvery PNG file consists of chunks which are defined as below: Critical chunks are those chunks that are absolutely required in order to successfully decode a PNG image from a PNG datastream. Our code, that we will be using to simulate server behaviour, looks like this: server.php In this article let's consider a scenario in which we'll be performing a security assessment of a PHP application that uses imageCreateFromPngor imagepng for image processing. They usually perform some image manipulation as cropping, compression etc., thus "destroying" the malicious input. Most of the web applications, however, show that it is rather unlikely to happen. php extension it would mean that you can easily gain RCE on the server. ![]() If you could upload a previously prepared image on the server as 1:1 copy with a. Moreover, you can create image with particular byte order that will form malicious payload as bytes’ representation. If you open an image file in a hex editor you will immediately notice that those pixels are nothing more than just bytes. PoC from our article was tested on PHP 7.3.10-1 (cli) (built: 05:24:47) (NTS)Įvery graphic file consists of pixels.PHP with gd module enabled ( sudo apt install php-gd).Author: Daniel Kalinowski Required tools ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |