Making a backdoor through Image upload? Unable to upload your shell to the server? If yes, then no worry to about it now. I will share a method that how to bypass image uploader. How you can upload your shell with an image uploader that blocks the other extensions. It may not bypass all up-loaders but, it will get through most of them.
First of all we need to know what the image uploader will not allow and what it is blocking whether it be file extension, dimension or file size. After you know why you cant upload something your attack becomes much more efficient as you know the fact behind the blockage.
How to bypass image uploader?
Let’s say our target only checks for file extension. What we can do is to use a null byte. A null byte is kinda like a comment (It drops whatever is after it). A null byte url encoded is and another null byte is (This null byte usually works in php). We can use this to rename our exploit/shell to have a jpg extension but, still upload like php. So we rename our shell or exploit to shell.php.jpg, shell.php.jpg.
This will not bypass all filters. Some filters will upload it as a jpg and the php code will not execute. This can be for various reasons such as the programming language the up-loader is coded in, If the up-loader has been coded not to drop the or for security reasons, or if the up-loader does not allow or in the up-loaded files name.
Ok next is if the up-loaders checks for dimensions but, not filetype… It is a malicious as an attacker can hex edit a valid jpg to include php exploit code and rename it to php. That way the php file has valid dimensions and will up-load but, the file will execute as php. I have done this on my testing lab and usually just open the jpg in a hex editor and make the changes.The problem is its easy to corrupt the file.But, I recently found a cool program called edjpgcom that allows you to add comments to your jpg file which makes it much easier. Download edjpgcom from here.
How to bypass image uploader with edjpgcom?
- As you have downloaded, extract it to C:/ drive. It will be having edjpgcom inside the folder.
- Then copy and paste the image into the edjpgcom folder that you want to add to backdoor. Make sure it’s having a valid extension.
- Open the Command Prompt from the Start menu.
- Type cd c:edjpgcom and hit enter.
- Now you’re in the edjpgcom directory. Now type edjpgcom.exe picturename.jpg and hit enter. Change picturename.jpg to your image name.
- As you do it, a window will appear. You just need to delete everything from the window and have to put your exploit or shell source code.
- Now rename the file picturename.jpg to picturename.php and just upload it. You’ll watch a magic how it worked.
That’s all how to bypass image uploader. Hope it will be helpful for you. Cheers..!
Note: Use Virtual Machine and scan on VirusTotal before downloading any program on Host Machine for your privacy.