sighook / pixload

Image Payload Creating/Injecting tools
Do What The F*ck You Want To Public License
1.2k stars 238 forks source link

How to use it with the BM/** case? #11

Closed digilevi2006 closed 1 year ago

digilevi2006 commented 4 years ago

Hi @chinarulezzz

Thank you for this code. But is it possible to execute the payload just by clicking the photo? Without adding .html on the end if possible...

Not sure if I understood this use case, but is it automatic that the server will just eliminate the image data and use script?

https://devcondetect.com/blog/2019/2/24/hacking-group-using-polyglot-images-to-hide-malvertsing-attacks

<img src="polyglot.jpg"/> will show the user an image and ignore the JavaScript

<script src="polyglot.jpg"></script> will execute valid JavaScript and ignore the image data.

And can I insert both lines into the html source?

Thanks.

sighook commented 1 year ago

irrelevant to the pixload, sorry.