Search code examples
phpperlzlibdeflate

PHP shell on PNG's IDAT Chunk

I am studying about DVWA on file upload high-vulnerabilities. I want to bypass the filter, which only allows uploading of images like jpg or png. So I'm planning to embed payload <?=phpinfo(); to image-file. After the search, I found these great blogs:

  1. An XSS on Facebook via PNGs & Wonky Content Types
  2. Encoding Web Shells in PNG IDAT chunks
  3. Revisiting XSS payloads in PNG IDAT chunks

I'm too lazy to study about Deflate algorithm and search about png shell generator and found this great repository:

  1. PNG Payload Generator with PERL

After clone and run, it works great. But the payload is for XSS Vuln output here:

<SCRIPT SRC=//ABC.DE></SCRIPT>

I want to finish the DVWA's objective. It says

Execute any PHP function of your choosing on the target system (such as phpinfo() or system()) thanks to this file upload vulnerability.

So, the payload what I want is: <?=phpinfo();?> embed on PNG's IDAT chunks, which this payload survived from filters and compression on IDAT. From the repository, I found the bruteforce() logic where previously described by f1n1te / idontplaydarts blog. I copy the source code and try to bruteforce deflate compression with my payload here but fail on symbol characters. Based on the source/generator, I have 2 question:

  1. Why on the source, the bruteforce fail on symbol "<" and "?", and also another ascii symbol ? But it works on ascii "a-z" & "A-Z".

  2. On the 3 blogs & 1 repository which I found, those are use this payload to bruteforce Deflate :

    7ff399281922111510691928276e6e5c1e151e51241f576e69b16375535b6f - f1n1te f399281922111510691928276e6e562e2c1e581b1f576e69b16375535b6f0e7f - Adam 03a39f67546f2c24152b116712546f112e29152b2167226b6f5f5310 - idontplaydarts 0000f399281922111510691928276e6e5313241e1f576e69b16375535b6f0000 - Repository

How those guys get all these payloads to bruteforce Deflate Compression?

Solution

  • The bruteforce fails because it's too short. You need 5 nibbles, not only 4. I marked the extra digit with an arrow.

    0000f399281922111510691928276e6e....1f576e69b16375535b6f0000 your template
0000f399281922111510691928276e6e51121f576e69b16375535b6f0000 "x\234c`\370<SCRIPT SRC=//PH></script>\3\3\0w\314\10)"
0000f399281922111510691928276e6e576f5f576e69b16375535b6f0000 "x\234c`\370<SCRIPT SRC=//<?></script>\3\3\0w\314\10)"
                                    ↑

    The program also contains a bug that prevents it from completely exhausting the search space. The format specifier for sprintf must be zero-padded, otherwise the hexdigit strings are too short; in other words in the original program it must be %04x, not %x.