Forum Thread: Hide a PHP Virus in a JPEG Image.

Hide a PHP Virus in a JPEG Image.

Hello everyone! I've just joined WonderHowTo and decided to start my journey by posting this on Null Byte! So, I wanted to do something simple and that is hiding a PHP virus in a JPEG file. Enjoy! ;)

Step 1: What You'll Need

To perform this you simply need a JPEG image, an EXIF tag editor (I used this one here), and little knowledge of PHP.

Step 2: How to Do It

While this can be used in many different file formats, in the example I'm giving here I will describe how to attack the poorly-protected PHP gallery.

To create a virus, open your EXIF editor;

Now open your JPEG image. Then add a new tag by clicking on the plus button in the little green circle. Then, a new window will pop up;

Then select DocumentName as the type from the drop down menu.

Now copy-paste the code below as the tag value (you can also use your own code here);

<style>body{font-size: 0;} h1{font-size: 12px !important;}</style><h1><?php echo "<hr />THIS IMAGE WILL DELETE EVERYTHING ON YOUR COMPUTER!!! Just kidding....<hr />"; phpinfo(); haltcompiler(); ?></h1>

Now click on "Commit change(s)" to save the file.


From now on, your image carries a PHP code which is invisible to most picture viewers. You can quickly test the virus by uploading it to a poorly-written gallery and displaying it in a browser.


That's it! JPEG files cannot only contain PHP, but JavaScript too. It could even be easier to inject malicious JavaScript code into some of the existing galleries because many lack the necessary output sanitization when displaying EXIF data to the user.

Most PHP scripts on the Internet use the binary-safe functions to read the files. The above example shows, however, the importance of validating input data, and that existing security mechanisms (such as the built-in PHP getimagesize() function) can be easily deceived by some appropriately crafted files.

Of course the image created in this article is not a real virus (because it's unable to propagate itself or infect other files), but it may serve as a precursor to such a program. Also, this mechanism can be used as an unusual obfuscator, hiding the PHP code in binary files.

This only works on a PHP-enabled server in case of PHP code injection. Also the Javascript code injection cannot be executed from within a desktop application, unless it is using an embedded webbrowser as a viewer (and that would be a rather strange case). There are, however, other techniques to break a desktop application and the most popular is a buffer overflow attack.

Thank you all for reading! I hope you enjoyed it! And feedback is always welcome!

But now my question are; How can you make the program execute without the victim's knowledge? And if the victim's computer already contains a malicious file, can you make the PHP program (or JavaScript program) execute that file when a certain action is done with the JPEG file?

Thank you by advance!!!

Be the First to Respond

Share Your Thoughts

  • Hot
  • Active