3 months ago

How to Hack Forum Accounts with Password-Stealing Pictures « Null Byte :: WonderHowTo

The pictures we upload online are something we tend to think of as self-expression, however these very images can carry code to steal our passwords as well as data. Profile pictures, avatars, as well as image galleries are used all over the internet. While all images carry digital picture data — as well as many also carry metadata regarding camera or photo edits — the item’s far less expected in which an image might actually be hiding malicious code.

How is actually Hiding Code in an Image Possible?

Files are generally structured in a few different parts. Image files, for instance, generally begin with some declaration of the type of image file data present. This specific is actually usually something like a “Start of Image” marker, a sequence or number which indicates what is actually going to follow the item. GIF files begin with GIF87a or GIF89a when viewed as ISO 8859-1 encoding, or “47 49 46 38 37 61” in hexadecimal.

These signatures are followed by data which corresponds to the arrangement as well as coloring of pixels from the image. This specific data, when enclosed in an image file, is actually enough to create a usable bitmap image. However, in addition to This specific visible image data, following the end of the image data, metadata such as EXIF can be inserted following an application marker segments. After these points, the image data has been both opened as well as closed with defined indicators, as well as anything after This specific data will not be processed as an image.

A GIF image viewed as hexadecimal values.

Metadata is actually generally only visible to the user when the item’s specifically parsed, as well as from the same way, hidden code will only be visible to a program which is actually looking for code to run. While This specific data often contains camera information, location data, or similar information related to the photograph itself, the item could also be stuffed with another file, or in This specific case, executable code.

Despite the hidden content included in an image file, the item still behaves as a standard image as the opening as well as closing components of the image content are sufficient for image-viewing programs to interpret as well as effectively display the image.

from the same way, when a website is actually told to look for a certain type of script, the item will at least attempt to run, or look for something the item can use for the action the item is actually instructed to do. If This specific script is actually an image file rather than a text file, the website will be able to run the script so long as the item can find the opening as well as closing elements of the code.

How Can This specific Technique Be Used?

Websites such as forums, hosting sites, or different sites with user-generated content often allow for the uploading of images as well as posting of text or media content.

In certain cases, HTML script tags will be permitted, perhaps a widget available for users to add to their posts or pages. A script tag may be able to be inserted where the item should not have been due to a lack of form verification, often by using an escape tag like the HTML textarea property… however even if not, you’ll be able to host your own web page in which sources scripts coming from different pages, as well as if those scripts try to access cookies coming from the domain they’re hosted on, they’ll be granted access.

Because of This specific, as a protective measure, most sites won’t let you upload scripts, however many will allow you to upload images. as well as many of those will just save the image as well as serve the item up as-is actually (with our payload in tact). So, by uploading JavaScript within an image, the item can be hosted on, as well as executed coming from a site’s server. In addition, the technique greatly obfuscates malicious JavaScript even when used on a server controlled by the attacker, as well as could be used to obscure the actions of a phishing page.

What Can We Do by Executing JavaScript Hosted on a Target Server?

JavaScript can be used to attempt to steal cookies, which may include authentication tokens, are often vulnerable to XSS escape strings to execute more javascript, can prompt browsers to download or run a program, as well as even steal information coming from different websites the user has visited (assuming the target host serves up integrations in which different web pages access). from the case of This specific example, a simple JavaScript alert function is actually used in order to confirm in which JavaScript is actually running properly, however This specific could be replaced with malicious code or even a BeEF browser hook.

Step 1: Downloading & Installing Imagejs

Let’s begin by cloning the git repository for the project. The commands in these examples are entered in a Kali Linux terminal environment.

git clone https://github.com/jklmnn/imagejs

After cloning the repository, we move into the directory with the following command.

cd imagejs

Finally, to compile the program, we simply run:


Step 2: Preparing JavaScript Code

The JavaScript formatting required is actually relatively minimal. No opening or closing tags are needed, as well as our file can simply specify the actions we wish to be performed. In order to test JavaScript functionality, we might use a sample string such as the one below. This specific JavaScript code will simply open an alert window with the text “Null Byte.”

window.alert(“Null Byte”);

We can save This specific text as the filename of our choice, or directly send the item to script.js with the following command line string.

echo “window.alert(“Null Byte”);” > script.js

Step 3: Embedding JavaScript into an Image

The JavaScript code can be embedded into any GIF, BMP, WEBP, PNM, or PGF file. However, depending on the limitations of where the image is actually going to be uploaded, we should consider how we form the item.

If the image is actually going to be uploaded as an avatar or profile picture on a website, we should make sure both in which the item isn’t too large of a file, nor in which its resolution exceeds the maximum size. If the image with embedded JavaScript is actually scaled or compressed by the website, or if the site strips EXIF data, the functionality of the code may not be maintained, so the desire is actually in which if you upload an image in which fits the sites stated requirements, they’ll save the item in a hosted location as-is actually, without any alterations. I simply used the image below, saved as a GIF file by being exported using GIMP.

Step 4: Using Imagejs

Once we have both the code we would likely like to embed as well as the image we would likely like to add the code to, we can embed them using the following parameters. The script in This specific example is actually titled “script.js” as well as the image “image.jpg” — both of which are from the same directory as the imagejs program, as we can confirm by running ls.

The syntax begins with running the program, imagejs. The first argument, in This specific case gif, indicates the file type. The second argument refers to the script we are using, as well as the final argument following the -i flag is actually the image we wish to modify.

./imagejs gif script.js -i image.gif

The name of the output file. in This specific case. will be “script.js.gif.” However, we can rename the item to whatever we choose.

Step 5: Testing the Script

To test the functionality of the script image, let’s create an HTML test page with opening as well as body tags.

<img src=”http://null-byte.wonderhowto.com/script.js.gif”>
<script src=”http://null-byte.wonderhowto.com/script.js.gif”></script>

We can save This specific file as “script.html” or the filename of our choice. When we open the item in a browser, the item should look like the following image.

The <img> tag has been included in order to demonstrate in which the GIF image is actually still entirely functional as an image, however the item could be omitted as well as the script would likely still run.

Serving This specific coming from a file works as file systems don’t specify file mime types. Most modern web servers will specify a mime type for the files the item serves based on the file extension. If This specific is actually the case as well as the web server specifies an image mime type (such as image/gif), modern browsers will not attempt to execute the script as image mime types are not executable.

Step 6: Attacking

right now in which we’ve established a way to embed JavaScript in images, we’ll want to look at what we can do with in which JavaScript code — as well as how the item can be injected into a live website.

The following command will attempt to dump write cookies to the served up web-page. These cookies may be able to be used to impersonate users by stealing their authentication tokens. right now, obviously simply writing them to their browser isn’t going to get them to you (you’ll have to write a script to quietly post them to your own server), however This specific will serve as a simple proof of concept:

document.write(‘cookie: ‘ + document.cookie)

Finally, in order to deploy the attack, we need to find somewhere to upload our image as well as either another field in which’s vulnerable to XSS attacks where we are able to escape input verification as well as use a <script> tag, or (more easily) load the image (as a script) coming from our own phishing webpage. from the example below, we uploaded our avatar, 1337.gif, as well as following a </textarea> exit tag, we enclose the item in script tags. After This specific, anyone who views This specific profile will have their cookies dumped to their browser window. Replace the script above with one in which silently posts the values of document.cookie to a server of your choosing, as well as you’ve got your self a silent credential thief.

Step 7: Defending Against the Attack

The solution for defending against an attack like This specific on the client-side may be as simple as installing NoScript, as well as to stick to trustworthy sites (such as Null Byte) in which spend copious amounts of time protecting themselves against XSS attacks. However, the item’s quite difficult to differentiate Great as well as bad scripts, as well as the responsibility for preventing malicious JavaScript injection lies on the shoulders of web developers as well as administrators.

For web developers to properly avoid any sort of JavaScript, PHP, or SQL injection, the solution is actually the same — input sanitation as well as user privilege management. If a user is actually at any point able to attain remote code execution, the majority of the battle has already been lost. Make sure your web server is actually up to date as well as is actually properly configured to serve image/* mime-types for any image files you host. While the item can take a little more work, the best practice would likely be to strip any EXIF data coming from any user uploaded images… or if you don’t know how to do in which, simply use one of the image resizing libraries such as ImageMagick to re-size as well as re-compress any images in which are uploaded as This specific will often strip EXIF data as part of the process.

Don’t Miss: Find XSS Vulnerable Sites with the Big List of Naughty Strings

Cover image as well as screenshots by TAKHION/Null Byte

Leave a Comment

Your email address will not be published. Required fields are marked *

16 + eight =