pixload icon indicating copy to clipboard operation
pixload copied to clipboard

Published 20 hours ago verified publisher icon sighook

Purpose

Open javabeanz opened this issue 5 years ago • 8 comments

is this tool meant for steganographic purposes or does rendering the image trigger the payload ?

javabeanz avatar Sep 16 '19 09:09 javabeanz

is this tool meant for steganographic purposes or does rendering the image trigger the payload ?

I think the second.

I do not think that this is a good tool for steganography, because, it has no payload extracting function, encrypting, hash collision tricks, etc, etc. Dunno, I’m not good at {crypto,stegano}graphy.

It will be useful for bypassing server-side filters and exploiting (web-shells, js, etc). I suppose. But my supposing is limited by imagination.

sighook avatar Sep 16 '19 13:09 sighook

This Tool embeds JavaScript into a syntactically valid image file. You typically use this for cross site scripting attacks where the victim site allows user generated (uploaded) content and serves it from the same origin as the site page.

ecki avatar Sep 17 '19 07:09 ecki

@ecki Yes. And not only.

Please, refer to #4 (reference list) to better understand the possible use cases.

sighook avatar Sep 17 '19 12:09 sighook

no, the program have no input argument for an image file, it just bind a code with auto generated blank image and it is not steganography , it just an application of referenced articles like #4 it just good for try abuse upload services from burp ...

dewebdes avatar Dec 17 '21 16:12 dewebdes

@dewebdes

no, the program have no input argument for an image file, it just bind a code with auto generated blank image

afaik, pixload can inject the payload into existing images.

it is not steganography

yep. especially stubborn people might do something like this:

$ pixload-jpg -S COM -P "$(base64 < /bin/echo)" Image.jpg
$ exiftool -s -s -s -COMMENT Image.jpg | base64 -d -i - > echo_bin
$ md5sum /bin/echo echo_bin
ef0dd386ba4adad3e1ebdd61c62ebfe2  /bin/echo
ef0dd386ba4adad3e1ebdd61c62ebfe2  echo_bin

Of course, injecting into the comments section is lame. It's better to inject a payload into DQT table, and write an extractor for this.

Anyway, pixload is not a steganographic tool, "I suppose" :)

sighook avatar Dec 25 '21 00:12 sighook

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

elvisgraho avatar Jun 20 '23 16:06 elvisgraho

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

It can be used server site for LFI or client side for XSS.

ecki avatar Jun 20 '23 17:06 ecki

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

It can be used server site for LFI or client side for XSS.

@ecki Can you please give an example of how that works server side or even client side? The server gets stream of data, I cant understand how it would randomly execute commands within that stream or how it would execute client side.

elvisgraho avatar Jun 20 '23 18:06 elvisgraho