Image Payload Creating and Injecting Tools

♨️Image Payload Creating and Injecting Tools


• Bypassing CSP using polyglot JPEGs

• Encoding Web Shells in PNG IDAT chunks

• Hidden malvertising attacks (with Polyglot images)

• XSS payload revisiting (in PNG and IDAT chunks)

• XSS Facebook upload (Wonky and PNG content)





Clone the repo:

$ git clone

Note: Debian users need to install the following packages:

$ sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl

Pixload Usage Examples

BMP Payload Creator/Injector to create BMP Polyglot image with custom/default payload, or inject payload into existing image:

$ ./ [-payload ‘STRING’] -output payload.bmp
If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.

GIF Payload Creator/Injector

$ ./ [-payload ‘STRING’] -output payload.gif

JPG Payload Creator/Injector

There are two ways in which you can achieve this:

1. Comment section injection:

$ ./ -place COM -output payload.jpg

2. DQT table injection:

$ ./ -place DQT -output payload.jpg

PNG Payload Creator/Injector

$ ./ [-payload ‘STRING’] -outp

Leave a Reply

Your email address will not be published. Required fields are marked *