Skip to content

Proof-of-concept to exploit the flaw in the PHP-GD built-in function, imagecreatefromgif()

Notifications You must be signed in to change notification settings

fakhrizulkifli/Defeating-PHP-GD-imagecreatefromgif

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 

Repository files navigation

Exploiting PHP-GD imagecreatefromgif() function

Developer uses GD (or Imagemagick) library in order to prevent image header script execution by recreating the image with the new one. This will wipe the image headers, and any embedded code present.

This is the script to generate the payload

<?php
$gif = imagecreatefromgif('poc.gif');
imagegif($gif, 'exploit.gif');
imagedestroy($gif);
?>

So this is the hexadecimal dump before the new image recreation. As you can see at the 4th and 5th lines, there are nothing and please notice that there are still EXIF data.

before

After the recreation, the new image file hexadecimal dump also have that "sweet spot" where nothing is appended there. Also the EXIF data is already removed after the recreation process. So let's try injecting our backdoor there.

after

Now, the PHP backdoor is appended at that blank space because this is the only space that stay the same before and after the recreation process.

before

Voila !, as you can see the code is still there even after the recreation of new image file.

after

So what next? the attacker just need to append .php extension and upload the exploit.

About

Proof-of-concept to exploit the flaw in the PHP-GD built-in function, imagecreatefromgif()

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages