imagepng - PHP code example

The php Function Imagepng() Can Be Used to Smuggle PHP Payloads Into PGIF Files

Image manipulation is becoming more and more prevalent in web development. Images are cropped, resized, watermarked and more using PHP’s graphics library (GD).

To use GD, you need to have it compiled into your PHP. Many web hosts have this as a standard feature. You can also download and install the GD package from your local PC.

The php function imagepng() outputs a GD image stream in PNG format to standard output (usually the browser) or, if a filename is given, it saves the image to the file. It works in the same way as other GD functions such as imagegif(), imagewbmp(), and imagejpeg().

If you have indexed palettes, imagecolorsforindex($img) will return an array of the RGBT values for each color in the image. This will be especially useful for those who want to create their own custom colors for the indices in the indexes in the image.

The php functions imagepng(), imagecreatefrompng(), and imagesavetopng() can be used to smuggle PHP payloads into PGIF files. However, slight misconfigurations of the underlying server and secondary vulnerabilities could allow attackers to bypass these functionalities.

For example, if an attacker resizes the input PNG file before uploading it to the webserver, it is likely that critical chunks of the image data, such as the PLTE chunk, will be destroyed and our payload will be lost with it. This is a simple example that illustrates the dangers of relying on these PGIF image creation and saving functions for smuggling PHP code.

imagepng example

        $image = apply_filters_deprecated( 'image_save_pre', array( $image, $attachment_id ), '3.5.0', 'image_editor_save_pre' );

        switch ( $mime_type ) {
            case 'image/jpeg':
                header( 'Content-Type: image/jpeg' );
                return imagejpeg( $image, null, 90 );
            case 'image/png':
                header( 'Content-Type: image/png' );
                return imagepng( $image );
            case 'image/gif':
                header( 'Content-Type: image/gif' );
                return imagegif( $image );
            case 'image/webp':
                if ( function_exists( 'imagewebp' ) ) {
                    header( 'Content-Type: image/webp' );
                    return imagewebp( $image, null, 90 );
                }
                return false;
            default:
                return false;
        }

$renderer = $this->container->get('renderer');

    $png = File::create([
      'uri' => 'public://test-image.png',
    ]);
    $png->save();

    // We need to create an actual empty PNG, or the GD toolkit will not     // consider the image valid.     $png_resource = imagecreate(300, 300);
    imagefill($png_resource, 0, 0, imagecolorallocate($png_resource, 0, 0, 0));
    imagepng($png_resource, $png->getFileUri());

    $svg = File::create([
      'uri' => 'public://test-image.svg',
    ]);
    $svg->save();
    // We don't have to put any real SVG data in here, because the GD toolkit     // won't be able to load it anyway.     touch($svg->getFileUri());

    $entity = EntityTest::create([
      'name' => $this->randomMachineName(),

    public function getTemplateData()
    {
        $rand = Random::getAlphanumericString(32);

        $string = md5($rand);
        $string = substr($string, 0, 5);

        $imgResource = $this->getImageResource($string);

        ob_start();
        imagepng($imgResource, null, 9);
        $img = (string) ob_get_clean();
        imagedestroy($imgResource);
        $img = base64_encode($img);

        return [
            'img' => $img,
            'sRand' => $rand,
        ];
    }

    /** * {@inheritdoc} */

/** * @param resource $newImage * @param int $quality - JPEG quality */
    private function saveImage(string $destination, $newImage, int $quality): void
    {
        ob_start();
        // saves the image information into a specific file extension         switch (strtolower($this->getImageExtension($destination))) {
            case 'png':
                imagepng($newImage);
                break;
            case 'gif':
                imagegif($newImage);
                break;
            default:
                imagejpeg($newImage, null, $quality);
                break;
        }

        $content = ob_get_contents();
        if (!\is_string($content)) {

imagecolorallocate($img, 255, 255, 255);
        }

        $codeColor = (int) imagecolorallocate($img, 0, 0, 0);
        if ($filesystem->exists($this->fontPath)) {
            imagettftext($img, 45, 0, 80, 55, $codeColor, $this->fontPath, $code);
        } else {
            imagestring($img, 5, 100, 20, $code, $codeColor);
        }

        ob_start();
        imagepng($img, null, 9);
        $image = (string) ob_get_clean();
        imagedestroy($img);
        $image = base64_encode($image);

        return new BasicCaptchaImage($code, $image);
    }

    public function setBackgroundPath(string $path): void
    {
        $this->backgroundPath = $path;
    }

    public function stream( $mime_type = null ) {
        list( $filename, $extension, $mime_type ) = $this->get_output_format( null, $mime_type );

        switch ( $mime_type ) {
            case 'image/png':
                header( 'Content-Type: image/png' );
                return imagepng( $this->image );
            case 'image/gif':
                header( 'Content-Type: image/gif' );
                return imagegif( $this->image );
            case 'image/webp':
                if ( function_exists( 'imagewebp' ) ) {
                    header( 'Content-Type: image/webp' );
                    return imagewebp( $this->image, null, $this->get_quality() );
                }
                // Fall back to the default if webp isn't supported.             default:
                header( 'Content-Type: image/jpeg' );

if (! @imagejpeg($this->resource, $target, $quality)) {
                    throw ImageException::forSaveFailed();
                }
                break;

            case IMAGETYPE_PNG:
                if (! function_exists('imagepng')) {
                    throw ImageException::forInvalidImageCreate(lang('Images.pngNotSupported'));
                }

                if (! @imagepng($this->resource, $target)) {
                    throw ImageException::forSaveFailed();
                }
                break;

            case IMAGETYPE_WEBP:
                if (! function_exists('imagewebp')) {
                    throw ImageException::forInvalidImageCreate(lang('Images.webpNotSupported'));
                }

                if (! @imagewebp($this->resource, $target, $quality)) {
                    throw ImageException::forSaveFailed();
                }

/** * {@inheritdoc} */
    public function getTemplateData()
    {
        $string = $this->createCaptchaString();

        $imgResource = $this->getImageResource($string);

        ob_start();
        imagepng($imgResource, null, 9);
        $img = (string) ob_get_clean();
        imagedestroy($imgResource);
        $img = base64_encode($img);

        /** @var string[] $sRandArray */
        $sRandArray = $this->container->get('session')->get(self::SESSION_KEY, []);

        $threshold = 51;
        if (\count($sRandArray) > $threshold) {
            $sRandArray = \array_slice($sRandArray, -$threshold);
        }

$originalImageSize['height']
        );

        return $thumbnail;
    }

    private function writeThumbnail(\GdImage $thumbnail, MediaEntity $media, string $url, int $quality): void
    {
        ob_start();
        switch ($media->getMimeType()) {
            case 'image/png':
                imagepng($thumbnail);

                break;
            case 'image/gif':
                imagegif($thumbnail);

                break;
            case 'image/jpg':
            case 'image/jpeg':
                imagejpeg($thumbnail, null, $quality);

                break;