My php site was hacked by codes uploaded as image..?

Question

Yesterday my site was comprised. The attacker changes the index.php file to their own (with all their glory messages and greet). I\'ve notified the hosting company about thi

Answer 1

Image file with arbitrary PHP code can't be exploited with direct request to it, e.g. http://www.mysite.com/uploads/image.jpg?cmd=somecode.

Still, it can be used with Local File Inclusion vulnerability.

For example, in index.php you use include('pages/' . $_GET['page'] . '.php');, then attacker can upload image with PHP code inside and execute commands with smth like this: http://www.mysite.com/index.php?page=../upload/image.jpg?cmd=somecode%00

UPD: changed file in URL to page