Image Payload Creating and Injecting Tools

♨️Image Payload Creating and Injecting Tools

Features:

• Bypassing CSP using polyglot JPEGs

• Encoding Web Shells in PNG IDAT chunks

• Hidden malvertising attacks (with Polyglot images)

• XSS payload revisiting (in PNG and IDAT chunks)

• XSS Facebook upload (Wonky and PNG content)

Tools:

bmp.pl, gif.pl, jpg.pl, png.pl

Requirements:

GDString::CRC32Image::ExifTool

Install

Clone the repo:

$ git clone https://github.com/chinarulezzz/pixload.git

Note: Debian users need to install the following packages:

$ sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl

Pixload Usage Examples

BMP Payload Creator/Injector

Usebmp.pl to create BMP Polyglot image with custom/default payload, or inject payload into existing image:

$ ./bmp.pl [-payload ‘STRING’] -output payload.bmp
If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.

GIF Payload Creator/Injector

$ ./gif.pl [-payload ‘STRING’] -output payload.gif

JPG Payload Creator/Injector

There are two ways in which you can achieve this:

1. Comment section injection:

$ ./jpg.pl -place COM -output payload.jpg

2. DQT table injection:

$ ./jpg.pl -place DQT -output payload.jpg

PNG Payload Creator/Injector

$ ./png.pl [-payload ‘STRING’] -outp

Leave a Reply

Your email address will not be published. Required fields are marked *