Can a php shell be injected into an image? How would this work?

php code-injection
GStock picture GStock · Feb 24, 2011 · Viewed 30.7k times · Source

I remember seeing an exploit for an image uploading function, which consisted of hiding malicious php code inside a tiff image.

I'm making my own image uploading script, and I assume I'll have to protect myself from this possibility. Except, that I have no idea how it would work. Does anyone know how a php shell hidden inside an image would execute itself? Would it need to be loaded in a certain way?

Thanks.

Answer

Marty picture Marty · Jun 5, 2012

Re encoding the image will not stop someone from uploading a shell. The only sure way to prevent it is to re-encode and scan the image for the presence of php tags.

For an example of a PHP PNG shell that will survive re-encoding

Related questions

How to prevent code injection attacks in PHP?

I am a bit confused, there are so many functions in PHP, and some using this, some using that. Some people use: htmlspecialchars(), htmlentities(), strip_tags() etc Which is the correct one and what do you guys usually use? Is …

Read More
How can I test my PHP MySQL injection example?

I want to use PHP/Mysql injection with a login example, my code is below. I have tried with a username of anything' -- and an empty password but it doesn't work and I couldn't log in. Could anyone help …

Read More
PHP MySQLI Prevent SQL Injection

I've build a website that will be going live soon and just have a couple questions about preventing SQL injection, I understand how to use mysqli_real_escape_string but I'm just wondering if I have to use that on …

Read More