♨️Image Payload Creating and Injecting Tools
Features:
• Bypassing CSP using polyglot JPEGs
• Encoding Web Shells in PNG IDAT chunks
• Hidden malvertising attacks (with Polyglot images)
• XSS payload revisiting (in PNG and IDAT chunks)
• XSS Facebook upload (Wonky and PNG content)
Tools:
bmp.pl, gif.pl, jpg.pl, png.pl
Requirements:
GDString::CRC32Image::ExifTool
Install
Clone the repo:
$ git clone https://github.com/chinarulezzz/pixload.git
Note: Debian users need to install the following packages:
$ sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl
Pixload Usage Examples
BMP Payload Creator/Injector
Usebmp.pl to create BMP Polyglot image with custom/default payload, or inject payload into existing image:
$ ./bmp.pl [-payload 'STRING'] -output payload.bmp
If the output file exists, then the payload will be injected into the existing file. Else the new one will be created.
GIF Payload Creator/Injector
$ ./gif.pl [-payload 'STRING'] -output payload.gif
JPG Payload Creator/Injector
There are two ways in which you can achieve this:
1. Comment section injection:
$ ./jpg.pl -place COM -output payload.jpg
2. DQT table injection:
$ ./jpg.pl -place DQT -output payload.jpg
PNG Payload Creator/Injector
$ ./png.pl [-payload 'STRING'] -outp
❣️ Share and support us ❣️
