Switch branches/tags
Nothing to show
Find file Copy path
8ec5a70 Jan 4, 2018
1 contributor

Users who have contributed to this file

43 lines (23 sloc) 1.04 KB


Get your very own Craft demo site in (The site will automatically expire in 48 hours) or build local.

My poc site :


1.login the site

2.Go to "Assets->upload files"

3.Upload one picture to see how GD function reshape the picture. I just download the "news-link-1-image.jpg" which is already in the list.

4.Insert the <?php phpinfo();?> into the pic by using "jpg_payload.php"

php jpg_payload.php news-link-1-image.jpg

Then the new pic "payload_news-link-1-image.jpg" is created.

5.Upload the "payload_news-link-1-image.jpg" ,now we can not change the filename by burpsuite.Then we upload the "payload_news-link-1-image.jpg" again,it will show up the warning as follow:

We choose the "Replace it".

6.Use burp to change the filename:

7.Then view the php file: