The php Function Imagepng() Can Be Used to Smuggle PHP Payloads Into PGIF Files
Image manipulation is becoming more and more prevalent in web development. Images are cropped, resized, watermarked and more using PHP’s graphics library (GD).
To use GD, you need to have it compiled into your PHP. Many web hosts have this as a standard feature. You can also download and install the GD package from your local PC.
The php function imagepng() outputs a GD image stream in PNG format to standard output (usually the browser) or, if a filename is given, it saves the image to the file. It works in the same way as other GD functions such as imagegif(), imagewbmp(), and imagejpeg().
If you have indexed palettes, imagecolorsforindex($img) will return an array of the RGBT values for each color in the image. This will be especially useful for those who want to create their own custom colors for the indices in the indexes in the image.
The php functions imagepng(), imagecreatefrompng(), and imagesavetopng() can be used to smuggle PHP payloads into PGIF files. However, slight misconfigurations of the underlying server and secondary vulnerabilities could allow attackers to bypass these functionalities.
For example, if an attacker resizes the input PNG file before uploading it to the webserver, it is likely that critical chunks of the image data, such as the PLTE chunk, will be destroyed and our payload will be lost with it. This is a simple example that illustrates the dangers of relying on these PGIF image creation and saving functions for smuggling PHP code.