Changing file headers for upload and changing values with intercepting proxies is at the core of most remote web hacking, there are so many tricks one can try to bypass filters such as unusual extensions that some servers execute like php7 etc but you also have the classic trick of uploading a file masquerading as another.
Today’s post I want to go over an great trick covered in this write-up…
Every image file format starts with a few magic bytes used to identify itself. For example, PNGs will start with the 4 bytes
\x89PNGisn’t a valid .htacces directive, we won’t be able to use the PNG file format for our polyglot.
In the case of .htaccess you want to find a file format with that starts with a
# since the
# is interpreted as a comment and the rest of the image content ignored resulting in a valid .htaccess file.
In .htaccess files lines starting with a null byte (
\x00) are also ignored so now one would want to try and find valid image file types starting with # or \x00.
In this case the team looked at supported file types: http://php.net/manual/en/function.exif-imagetype.php#refsect1-function.exif-imagetype-constants this is a great example of how you must put in the time to understand the technology you are working with, guess work would not get you here.
As you can see they picked the right format as some of the more obscure ones start with bytes that would corrupt the .htaccess file…
The team figured out, using a script that a valid .wbmp file only requires 6 bytes. They also assumed that the width and height are stored in bytes 3–6, height was important as the challenged looked for images sized 1337x1337, this is of course helpful for other sites that insist on specific size images or icons.
As you can see the team successfully uploaded a valid .htaccess file using this trick…
The reason I wanted to cover this today is to show how one can bypass seemingly impossible hurdles by understanding how things work at the core, again you don’t get to this by guess work. Most of hacking carries the same abstract concepts and applying this concept in other areas will be successful, just look at hackthebox and OSCP for all the easy bypasses with a simple file extensions or deceiving magic bytes.