![use gifsicle malicious image use gifsicle malicious image](https://www.bancaditalia.it/media/images/notizie/2018/avviso-phishing-2.png)
Weevely 0.3 - Generate and manage stealth PHP backdoors.Ĭopyright (c) 2011-2012 Weevely Developers
#Use gifsicle malicious image code#
Initially we create the shell with the weevely script and then copy the generated PHP code into the metadata comment field./weevely.py -g -o back.php -p admin For that purpose, I will choose the weevely PHP shell, but you can choose an alternative shell that you have in your pentest arsenal. Now that we have confirmed that our technique is working lets hide a whole PHP backdoor shell in the comment field of the same image.
![use gifsicle malicious image use gifsicle malicious image](https://www.fbi.gov/image-repository/hacker-on-laptop-stock-image.jpg)
In that case you can choose a similar function like system, exec, shell_exec, etc. Something that must be mentioned here, is that some PHP configurations might have passthru included into their disabled functions. The garbage at the begging of the output is caused by the data of the image’s header. JFIF.uid=33(www-data) gid=33(www-data) groups=33(www-data)īingo! the command has been successfully executed in the target machine. To send the command using the POST method, I will use the curl tool. OK, everything is set up so lets launch our first attempt to execute a command in the target machine. To edit the comment field, I will use the -ce flag of the jhead tool. The file is pretty much clean so lets make it a little bit dirtier by hiding some PHP code in the metadata comment field. Now that we have our metadata manipulation tool lets pick up a random jpeg image and read the metadata. There exist many other tools out there with similar functionality to choose for your needs. In order to manipulate the EXIF JPEG metadata fields, I will use the command line jhead tool. Something.asp%00.jpg would become something.asp.Īnother walkthrough of an PHP code embeded in an image. Operation will truncate the name of the file after the NULL byte. Script will see the entire file name, but the underlying file ASP scripts tend to be vulnerable to this - the Tool or a HTTP request editor) that embeds a NULL byte before the Name a file, and Apache will still treat it as PHP.Īnother option you can try is by sending an upload request (with a JPG/.GIF (or only allows thoseĮxtensions), then you need to be more creative. There may be misconfigurations in your server or the attacker may just upload the attack image wherever hoping for some kind of include() of eval() to take place.Į.g., see this example (from 2008, but some attacks may still work on outdatted webservers - I recommend reading through the rest of the thread for interesting concepts): There may also be rare situations where PHP or other server side code may be consumed from this image. Then the attacker can point to your site when he needs to reference the code in other attacks (e.g., XSS). While you may never run the code locally on your server, it may be possible to upload malicious JavaScript code.