Purpose #2
Comments
I think the second. I do not think that this is a good tool for steganography, because, it has no payload extracting function, encrypting, hash collision tricks, etc, etc. Dunno, I’m not good at {crypto,stegano}graphy. It will be useful for bypassing server-side filters and exploiting (web-shells, js, etc). I suppose. But my supposing is limited by imagination. |
|
This Tool embeds JavaScript into a syntactically valid image file. You typically use this for cross site scripting attacks where the victim site allows user generated (uploaded) content and serves it from the same origin as the site page. |
|
no, the program have no input argument for an image file, it just bind a code with auto generated blank image |
afaik, pixload can inject the payload into existing images.
yep. especially stubborn people might do something like this: $ pixload-jpg -S COM -P "$(base64 < /bin/echo)" Image.jpg
$ exiftool -s -s -s -COMMENT Image.jpg | base64 -d -i - > echo_bin
$ md5sum /bin/echo echo_bin
ef0dd386ba4adad3e1ebdd61c62ebfe2 /bin/echo
ef0dd386ba4adad3e1ebdd61c62ebfe2 echo_binOf course, injecting into the comments section is lame. It's better to inject a payload into DQT table, and write an extractor for this. Anyway, pixload is not a steganographic tool, "I suppose" :) |
|
My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side? |
It can be used server site for LFI or client side for XSS. |
@ecki Can you please give an example of how that works server side or even client side? The server gets stream of data, I cant understand how it would randomly execute commands within that stream or how it would execute client side. |
is this tool meant for steganographic purposes or does rendering the image trigger the payload ?
The text was updated successfully, but these errors were encountered: