суббота, 26 мая 2012 г.

PHP all getimage() bypass

Many PHP projects have image validation, based on getimagesize() function:
http://php.net/manual/ru/function.getimagesize.php

That function has an error, provides attacker to read Berkley DB format and another files, started at 0x00 (null-byte).

<?php
if(getimagesize("/etc/aliases.db")){
   echo "OK";
}
?>
#php -f gis-test.php
OK

In *BSD systems and MacOS Berkley DB files used as configs.
It may be used by attacker to bypass image reading functions based on getimagesize().

We used that trick on PHD pre-hackquest's (Blow Up the Town) task called Tretyakovskaya.
It was sucessfull find by participants listed below:
rdot.org
shr
AVictor
Antichat
MERRON
letm
sc2tv
DarkByte
ei-grad
vos
korvin
grixa
n0ne
Endragor
tiger
Greetz, guys!