Pwnlab_init from Vulnhub

Please don't read if you are planning to start the machine and don't want spoilers.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
So, basically gaining access is not that easy, although the machine is aimed at beginners.
There is something I can't understand and yes, I looked at several walkthroughs: they all use the same method and they don't answer my question.
An important part concerns the way to upload a shell.
There are several checks in the php code, a very important one is:
$imageinfo = getimagesize($_FILES['file']['tmp_name']);
..............
.............
if($imageinfo['mime'] != 'image/gif' && $imageinfo['mime'] != 'image/jpeg' && $imageinfo['mime'] != 'image/jpg'&& $imageinfo['mime'] != 'image/png') {
die('Error 002');

From a research, it looks like this can be bypassed appending php code in the comment of an image with exiftool, or by adding magic signature at the beginning of the php file with an hex editor to make the app think it's a valid image file (the code also checks the extension and doesn't accept double-extensions)
Neither method seems to work. Or at least, if I append the comment I can upload the image with php code in the comment but then I don't know how to execute it. If I change the file signature ("magic bytes") for the file I still get Error 002 (see code above)
Instead, it looks like a php reverse shell is uploaded fine if we just put GIF at the beginning of the code, on a separate line (in Burp or in the reverse shell itself). Of course the shell must be named .jpg or .gif or .png.
Why does it seem to work only if we put GIF, and not if we put JPG or JPEG or file signature in the file before the php code?
How does getimagesize work?

Thx in advance...

halfluke

Sign In or Register to comment.