I never forget my tragedy to Administrator [pass a PHP file in image uploader]
Posted June 15, 2011on:
About six months ago, I never forgot when I was called to the place of Jenbacher Crew (a team who manage the computer networking and website content in my campus – administrator team). I was surprise, when suddenly I was suspected as a security breaker in my campus. “What’s up?” “What’s happened?” You know that at time I was falling down. I didn’t know what must I did. I couldn’t think clearly cause I was threatened for suspended from study on Electrical Engineering Department. and their decision made me very very confuse.
It happened, when my campus implemented the Online System of Subject Choosing. And my account has been taken over by unknown person, and until now I don’t know yet who is. And the it chronology was started when my the image of my account has been changed with other image. And at the time, one of the them, saw to me that my image contains PHP syntax. How can the image keep some informations like PHP syntax? I was mocked by administrator and got many humiliations. I won’t forget when he mocked me.
Since then, because I didn’t accept yet his humiliations to me so I continue to learn and learn. Even, I learn how the Programming syntax can be entered to the image. And now, I’m going to share you how to do it. And maybe this tutorial has been applied by attacker who take over the image of my account before I know this.
For this tutorial, I use Win 7 for experiment but you can use Windows XP to follow this tutorial. OK. Let’s try :
1. Make blank image. You can use program Paint to do this step.
2. Press Ctrl+E, and please make image with attribute Width : 1 and Height : 1, and then click OK
3. Then save your file namely bmp_image.bmp
4. Prepare your PHP Syntax like backdoor or other models. For this tutorial, I only use a PHP syntax like this :
<?php echo “<br><h1> I’m here </h1> <br><I’m Panteng” ; ?>
For this step, attacker can enter other command like backdoor, but for this tutorial, I only use it for showing the text. And I save that text namely “panteng.php“.
5. After providing two files (bmp_image.bmp and panteng.php), attacker need unify those two files become one PHP file. And for this example, I will give namely that file “bmp_panteng.php”. We must know that for unify those two files, bmp_image.bmp file must be at the beginning of the file and panteng.php file must be at the last. This is the concept of the file unifying :
C:\hack>type panteng.php >> bmp_image.bmp
BM: 6 ( ☺ ☺ ☺ ↑ ♦ <?php echo “<br><h1> I
‘m here </h1> <br><I’m Panteng” ; ?><?php echo “<br><h1> I’m here </h1> <br><I’m
Panteng” ; ?>
C:\hack>ren bmp_image.bmp bmp_panteng.php
.BMP extension must be changed to .PHP extension caused for web server can run PHP command that have entered into a BMP image. Without PHP extension, web server can’t run PHP command. So we can upload PHP file into the Image Uploader only easily because our PHP file (bmp_panteng.php) contain BMP Header so that PHP file can be uploaded.