Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

Include PHP code into a picture file

  1. Home
  2. Forum
  3. Hacking in general
  4. Include PHP code into a picture file

ghost's Avatar

ghost

0 0

Hi I don'T know if there is already something about this in the forum so I post it.

There is a method how you can put php code into picture. The php code could be what you want. And I think you can imagine that you can do a lot of with it if you e.g. hack a big site and replace some picture on the start side with injected pictures =

It's on german but you can translate it with google. And if you don't understand it I can translate it and post it.

http://www.keksa.de/?q=picup

I hope someone is interested in it.

Greetz NoPax


ghost's Avatar

ghost

0 0

It really is if you don't understand something PM me or post it here and I 'll translate it. But you have to know that my english is not the best one =)

Greetz NoPax


Mr_Cheese's Avatar

Mr_Cheese

0 1

majority of cases this wont be possible.

It depends what your trying to do. If you host your own image file, then ofcourse you can put whatever PHP you want into it. This is useful if you want to grab an IP etc.

If you are uploading a image file to the server, then it will only work IF they do not check the image for php / code.. and IF they have some htaccess mime type turned on, so images will execute as php. So it would seem unlikely.


ghost's Avatar

ghost

0 0

Yeah I agree with Cheesy. Ive tried it.


GTADarkDude's Avatar

GTADarkDude

Member
0 0

I've just read the German article (in German, automatic translations suck) and it looks very interesting. The guy explains it well and I can understand all the posibilities this would create, if, and only if, the script will actually exectute, which I think will be quite a problem. Still, if there's some small site made by one person who is not that experienced and he has some sort of picture uploading system, this might even work. And if it works, it'll work well.


ghost's Avatar

ghost

0 0

I am not sure but I think that if you for example put the php code injected picture on your server and than register in some forums, which allow to give url links for your avatar it will work.

Nevertheless iÏ think that is very interessting.

Greetz NoPax


ghost's Avatar

ghost

0 0

Ok, you can inject php code into a picture. I usually use shell code, but the only way to get it to work is the site that you upload the picture to has to be vuln to a lfi. Thats the only way to execute the php code in the picture. I have been using this for some time now. Though its rare to find a site that is vuln to this type of attack, they are still out there in the wild.


nanoymaster's Avatar

nanoymaster

the master of nanoy(.org)
0 0

the idea is if a forum etc. allows you to upload a picture you can insert some code into the comments (usually via passthrough)

if the site has local file inclussion you can use

www.site.com/[additional dirs]/page.php?var=[PathToYourPic]

and the page will execute your script using require_once() or include() etc.

which would work also bear in mind you can "upload" stuff elsewhere ie. logfiles/error files

this might help you http://www.astalavista.com/index.php?section=docsys&cmd=details&id=74


ghost's Avatar

ghost

0 0

lol, i wasent gonna tell them how to do it.