Ok guys. I have found a way to bypass different kinds of image up-loaders to upload exploits, shells whatever. First, this won't bypass all up-loaders but, it will get passed some (or many...idk).

First you need to know what the image uploader will not allow and what it is blocking whether it be file extension, file dimensions (To check if it is a valid image), or file size. After you know why you cant upload something your attack becomes much more efficient b/c you know whats getting blocked. This is the same for many types of attacks and will help you allot if you understand the defenses. Anyway, on to the good stuff...

Ok for my first filter evasion tip our target only checks for file extension. What we can do is use a null byte. A null byte is kinda like a comment (It drops whatever is after it). A null byte url encoded is %00 and another null byte is (This null byte usually works in php). We can use this to rename our exploit/shell to have a jpg extension but, still upload like php b/c unsafe up-loaders will drop the %00 or . So we rename our shell or exploit to shell.php%00.jpg, shell.php.jpg.

Tip: This will not bypass all filters. Some filters will upload it as a jpg and the php code will not execute. This can be for various reasons such as the programming language the up-loader is coded in, If the up-loader has been coded not to drop the %00 or for security reasons, or if the up-loader does not allow %00 or in the up-loaded files name.

Ok next is if the up-loaders checks for dimensions but, not filetype... This is very dangerous because an attacker can hex edit a valid jpg to include php exploit code and rename it to php. That way the php file has valid dimensions and will up-load but, the file will execute as php. I have done this on my testing lab and usually just open the jpg in a hex editor and make the changes.The problem is its easy to corrupt the file.But, I recently found a cool program called edjpgcom that allows you to add comments to your jpg file which makes it much easier.

Note: You can download edjpgcom from http://www.chapelhill.homeip.net/horton/copies/edjpgcom/

After you've downloaded it extract it to your c: drive. Then inside the edjpgcom folder add the image you want to backdoor (Must be a valid image and have a jpg extension). Now open command prompt and type cd c:edjpgcom then, type edjpgcom.exe yourpicture.jpg. Now you should get a window. Delete anything inside and input your exploit or shell source inside.

Note: You can only add a certain amount of lines so use a small shell or exploit.

Now type ren (Rename) yourimage.jpg yourimage.php or just rename it in the file explorer. Upload your file and watch the magic! No more "Invalid file Dimensions" errors!

I hope you enjoyed reading! Please leave comments and suggestions!