| Author |
Include PHP code into a picture file |
NoPax
Member
Posts: 70
Location: BlackCore
Joined: 11.09.08
Rank: Monster
Warn Level: 20
|
|
Hi
I don'T know if there is already something about this in the forum so I post it.
There is a method how you can put php code into picture. The php code could be what you want. And I think you can imagine that you can do a lot of with it if you e.g. hack a big site and replace some picture on the start side with injected pictures =
It's on german but you can translate it with google. And if you don't understand it I can translate it and post it.
http://www.keksa.de/?q=picup
I hope someone is interested in it.
Greetz
NoPax |
|
| Author |
RE: Include PHP code into a picture file |
K3174N 420
Member
Posts: 296
Location: In a grow room, growing cannabis.
Joined: 14.09.08
Rank: God
Warn Level: 69
|
|
English...
http://66.102.9.104/translate_c?hl=en&sl=de&u=http://keksa.de/?q=picup
Reading thru a bit, looks interesting...
Thanks Yours31f!
Make poverty history... Cheaper drugs now! - Frank gallagher
Einstein climbs to the top of Mt. Sinai to get close enough to talk to God.
Looking up, he asks the Lord...
"God, what does a million years mean to you?"
The Lord replies, "A minute."
"Einstein asks, "And what does a million pounds mean to you?"
The Lord replies, "A penny."
Einstein asks, "Can I have a penny?"
The Lord replies, "In a minute."
|
|
| Author |
RE: Include PHP code into a picture file |
NoPax
Member
Posts: 70
Location: BlackCore
Joined: 11.09.08
Rank: Monster
Warn Level: 20
|
|
It really is if you don't understand something PM me or post it here and I 'll translate it. But you have to know that my english is not the best one =)
Greetz
NoPax |
|
|
| Author |
RE: Include PHP code into a picture file |
Mr_Cheese
HBH Owner
Posts: 2468
Location: Brighton, UK
Joined: 30.11.04
Rank: God |
|
majority of cases this wont be possible.
It depends what your trying to do. If you host your own image file, then ofcourse you can put whatever PHP you want into it. This is useful if you want to grab an IP etc.
If you are uploading a image file to the server, then it will only work IF they do not check the image for php / code.. and IF they have some htaccess mime type turned on, so images will execute as php. So it would seem unlikely. |
|
|
| Author |
RE: Include PHP code into a picture file |
DarkMantis
Member
Posts: 192
Location: Bringing Security To You!
Joined: 23.04.06
Rank: Elite |
|
Yeah I agree with Cheesy. Ive tried it.
THE PEOPLE UNITED WILL NEVER BE DEFEATED!
don't care for money, and money's not for me,
the money fueled this empire and our racist history.
Although I'm forced to use it, the rules have all been set.
But life is not worth living when yer soul is in debt!
MONEY KILLS.
MONEY RAPES.
MONEY LIES.
MONEY HATES. |
|
|
| Author |
RE: Include PHP code into a picture file |
GTADarkDude
Member
Posts: 142
Location: The Netherlands
Joined: 23.02.08
Rank: God |
|
I've just read the German article (in German, automatic translations suck) and it looks very interesting. The guy explains it well and I can understand all the posibilities this would create, if, and only if, the scblockedript will actually exectute, which I think will be quite a problem. Still, if there's some small site made by one person who is not that experienced and he has some sort of picture uploading system, this might even work. And if it works, it'll work well.
... |
  
|
| Author |
RE: Include PHP code into a picture file |
NoPax
Member
Posts: 70
Location: BlackCore
Joined: 11.09.08
Rank: Monster
Warn Level: 20
|
|
I am not sure but I think that if you for example put the php code injected picture on your server and than register in some forums, which allow to give url links for your avatar it will work.
Nevertheless iĻ think that is very interessting.
Greetz
NoPax |
|
|
| Author |
RE: Include PHP code into a picture file |
exidous
Member
Posts: 113
Location: ~Where My Proxy Says!~
Joined: 17.07.07
Rank: Uber Elite |
|
Ok, you can inject php code into a picture. I usually use shell code, but the only way to get it to work is the site that you upload the picture to has to be vuln to a lfi. Thats the only way to execute the php code in the picture. I have been using this for some time now. Though its rare to find a site that is vuln to this type of attack, they are still out there in the wild.
|
|
|
| Author |
RE: Include PHP code into a picture file |
nanoymaster
Member
Posts: 115
Location: hell...
Joined: 20.08.05
Rank: God
Warn Level: 30
|
|
the idea is if a forum etc. allows you to upload a picture you can insert some code into the comments (usually via passthrough)
if the site has local file inclussion you can use
www.site.com/[additional dirs]/page.php?var=[PathToYourPic]
and the page will execute your scblockedript
using require_once() or include() etc.
which would work
also bear in mind you can "upload" stuff elsewhere ie. logfiles/error files
this might help you
http://www.astalavista.com/index.php?section=docsys&cmd=details&id=74
|
|
|
| Author |
RE: Include PHP code into a picture file |
exidous
Member
Posts: 113
Location: ~Where My Proxy Says!~
Joined: 17.07.07
Rank: Uber Elite |
|
lol, i wasent gonna tell them how to do it.
|
|
|
Main:
