Magic Numbers in Files:
Magic numbers are the first bits of a file that uniquely identify the type of file.
For instance: JPEG files always begin with the bytes FF D8 FF
To know about magic number of other files: Check this out -> https://asecuritysite.com/forensics/magic
In this lab, we will need to create a polyglot jpeg file using ExifTool.
So What are Polyglot files?
read this article to understand better.
“Basically, Polyglots, in a security context, are files that are a valid form of multiple different file types. For example, a GIFAR is both a GIF and a RAR file. There are also files out there that can be both GIF and JS, both PPT and JS, etc.
Polyglot files are often used to bypass protection based on file types. Many applications that allow users to upload files only allow uploads of certain types, such as JPEG, GIF, DOC, so as to prevent users from uploading potentially dangerous files like JS files, PHP files or Phar files.
This helps to upload a file that complies with the format of several different formats. It can allow you to upload a PHAR file (PHP ARchive) that also looks like a JPEG, but probably you will still need a valid extension and if the upload function doesn’t allow it this won’t help you.”
Lab Describption:This lab contains a vulnerable image upload function. Although it checks the contents of the file to verify that it is a genuine image, it is still possible to upload and execute server-side code.To solve the lab, upload a basic PHP web shell, then use it to exfiltrate the contents of the file /home/carlos/secret. Submit this secret using the button provided in the lab banner.You can log in to your own account using the following credentials: wiener:peter
Steps:
- Access the lab
- Log into the application using the credentials wiener: peter
- You can see that there is an image upload functionality
- Try to upload a basic web shell in PHP.
[In Burp : intercept the request → send to repeater ]
You can see that that web application doesn’t accept a PHP file
5. Download any jpeg file. For instance, I downloaded a flower.jpg
6. Now, Use Exiftool to create a Polyglot file using the command:
exiftool -Comment=”<?php echo ‘START ‘ . file_get_contents(‘/home/carlos/secret’) . ‘ END’; ?>” flower.jpg -o polyglot.php and try to upload it, the file gets uploaded successfully.
7. In the browser, the following message will be displayed
Click on “back to My Account ”
8. View Page Source and click on the img src link
9. In between START and END you will find the secret message.
