How to hide arbitrary scripts in GIF images (upgraded version)

-= Written in front, but not nonsense =-

Update-1: I saw a discussion on the QQ collar and found that RSnake introduced this as early as 07 years ago.MethodIt seems that I am out.

Update-2: It is said that the regular expression can be used to match <script src00000000xxx.gif ">. However, many file references on the server end use URL rewriting, therefore, it is not possible to block HTML code by matching the regular expression.

First, this question is not the title party. You can indeed hide many types of code in the GIF image, including C, Perl, and Javascript. This is not what I said. Someone has succeeded in the experiment: http://www.thinkfu.com/blog/gif?cript-polyglots.

Secondly, I wrote this article not to translate the achievements of Jasvir Nagra, but to make an in-depth discussion of gifjavascript-polyglots of Jasvir Nagra. Jasvir Nagra is not introduced at least about how to construct gifjavascript-polyglots.

Also, for how to hide PHP and ASP in GIF images, the "copy/B + copy/a" method on Gu Ge and Baike is different from the ployglots method described in this article.

Also, the GIF method in one sentence is completely different from the method mentioned in this article.

Okay, so far.

The following describes the method.
-= Detailed constructor method =-
Select any gif image. Images in other formats can be converted to gif using the image format conversion software. I use GIMP for GIF format conversion, and I only have this software. Second, when GIMP converts an image to a GIF format, it will prompt you to enter a comment. The polyglots method we will introduce today is exactly the script you want to hide (leave at least two spaces at the beginning and end of the script code, which will be described later) write it to the comments field of the GIF image!
If you have used GIMP in step 1. Congratulations. You are very close to success. You can go directly to step 3. Otherwise, use the File editing software that supports binary encoding to directly edit GIF images. GIF images in GIF89a format (the file header is GIF89a) use the hexadecimal encoding of the annotator to start marking: 21 FE, and the ending mark is 00. Your code is hidden in the GIF comment block.
If you are lucky, the GIF image has already become a GIF + Javascript mixture (gifjavascript-polyglots. But unfortunately, you are usually a cup. We also need to manually review the GIF image generated. Make sure that the generated GIF image complies with the GIF89a encoding format standard and is a legal Javascript script. The following is a simple gifjavascript-polyglots instance (in hexadecimal notation)

Have you noticed the features of the above GIF image?

(1). Follow the GIF89a encoding standard. As long as the image can be normally displayed, we can simply think that this condition is met.

(2). It is a legal JavaScript code.

GIF89a = 1/* ooxx */alert (1);/* xxoo **/

The main task in step 3 is to correct the GIF image to meet the features (2 ). Generally, 2F 2A is randomly displayed in GIF images, which results in the destruction of the JS Code annotations that we have carefully constructed. This causes the browser to encounter errors when interpreting and executing the JS Code! All we need to do is to change the random 2F 2A to any ASCII code that does not damage the annotation.

The final GIF file content can be used as long as it meets the above features (1) and (2.
-= Can be used ..., Cannot be used... =-

The first is the typical reference method:

<Script src00000000your_gif0000cript-polyglots.gif "> </script>

Second, scenarios that can be used:

Because our scripts are hidden in GIF images, the resolution of GIF images constructed in this way will become very large (because we modified the resolution-related bytes in the file header ), there is no visual difference with unprocessed GIF images (you can use some CSS tricks to completely eliminate visual differences ). How many websites on the Internet support uploading GIF images? Hey, the custom portraits, image sharing websites, and collars of most forums are good places for us to hide JS Code. Then... You can use your imagination. At least, I think the release of this method is troublesome for the majority of backend programmers. Sorry... It also poses a new problem for manufacturers who are filtering malicious websites. However, the solution is still easy to say.

Finally, it cannot be used in the following scenarios:

Want to steal cookies? Save your time, and you have the same security policy.

Postscript:

For Firefox NoScript users, note that the latest version of NoScript is not recommended. Specifically, when you open the Firefox error console, the following message is displayed:

[NoScript] Blocking cross site Javascript served from/Article/UploadPic/2010-12/20101224223316961. gif with wrong type info image/gif and supported ded by http://www.huangwei.me/00.html

Firefox users who do not have NoScript installed will not be able to defend themselves. But don't worry too much. At least cookies on other websites cannot be stolen.

In fact, in recent years, there have been an endless stream of patterns in the new methods of multimedia content attacks and client attacks. Many attack ideas are based on MashUps, concealment, ambiguity, and critical conditions. While Debugging, I even ran into a malformed gif Firefox crash. It seems that the vulnerabilities related to multimedia file browser interpretation and execution will become a hot spot for a long time in the future.

Reprinted from a pig smile