Steal IP Address using Image

Post Image
Starting on the name of My god "Allah" the most beneficent the most merciful

Today i wokeup and saw a post on grabbing the IP using SQL injection. As per my interest i checked what it was, after reading it i came up with an idea to include some htaccess shit with the whole idea and BOOM!!! you ll get a kewl ip grabbing image.

In this tutorial we will learn how to grab ip using an image. The idea is to use .htaccess along with a php file and add .jpg files to php executable using htaccess. Here is the htaccess code which will add jpg as php executable.

AddHandler application/x-httpd-php5 .jpg
Now make a grabber.jpg file with the below code.

$fh = fopen('ip_list.txt', 'a');
fwrite($fh, $_SERVER['REMOTE_ADDR']."\r\n");
$im = imagecreatefromjpeg("n00b.png");
header('Content-Type: image/jpeg');
Now in the end put a image with n00b.png in the same folder and change the permission for grabber.jpg to 755 you are ready with your ip grabber.
POC: IP_List.txt the below image grabbed your ip when you visited this page.

So here we have our IP grabber ready to work. Now the next part is using it with SQLi to grab a person IP. I dont find any logical reason to send an injected link to a person to grab his ip when we can directly send a image. But still just to knowledge here is the link to get a person up using SQLi. It as simple as getting the image loaded into the browser. Now lets do the same using XSS. Here is the link to get the victim ip using XSS.

Now a very interesting usage with this trick. Actually many Forums allow us to inlude images in our post, so we can use this trick to grab the ip addresses of any one who visit that post.

Thanks for reading.

Happy Hacking
Newer post

DIOS the SQL Injectors Weapon (Upgraded)

DIOS the SQL Injectors Weapon (Upgraded)
DIOS (Dump in One Shot) Explained Part 2
Older post

DIOS (Dump in One Shot) Explained Part 2