Purpose

[javabeanz]

is this tool meant for steganographic purposes or does rendering the image trigger the payload ?

[sighook]

is this tool meant for steganographic purposes or does rendering the image trigger the payload ?

I think the second.

I do not think that this is a good tool for steganography, because, it has no payload extracting function, encrypting, hash collision tricks, etc, etc. Dunno, I’m not good at {crypto,stegano}graphy.

It will be useful for bypassing server-side filters and exploiting (web-shells, js, etc). I suppose. But my supposing is limited by imagination.

[ecki]

This Tool embeds JavaScript into a syntactically valid image file. You typically use this for cross site scripting attacks where the victim site allows user generated (uploaded) content and serves it from the same origin as the site page.

[sighook]

@ecki Yes. And not only.

Please, refer to #4 (reference list) to better understand the possible use cases.

[dewebdes]

no, the program have no input argument for an image file, it just bind a code with auto generated blank image and it is not steganography , it just an application of referenced articles like #4 it just good for try abuse upload services from burp ...

[sighook]

@dewebdes

no, the program have no input argument for an image file, it just bind a code with auto generated blank image

afaik, pixload can inject the payload into existing images.

it is not steganography

yep. especially stubborn people might do something like this:

$ pixload-jpg -S COM -P "$(base64 < /bin/echo)" Image.jpg
$ exiftool -s -s -s -COMMENT Image.jpg | base64 -d -i - > echo_bin
$ md5sum /bin/echo echo_bin
ef0dd386ba4adad3e1ebdd61c62ebfe2  /bin/echo
ef0dd386ba4adad3e1ebdd61c62ebfe2  echo_bin

Of course, injecting into the comments section is lame. It's better to inject a payload into DQT table, and write an extractor for this.

Anyway, pixload is not a steganographic tool, "I suppose" :)

[elvisgraho]

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

[ecki]

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

It can be used server site for LFI or client side for XSS.

[elvisgraho]

My brain cant understand this. Html wont execute code hidden in the image. Can someone please tell me what is the purpose? If its for CSRF, then how does it work on the server side?

It can be used server site for LFI or client side for XSS.

@ecki Can you please give an example of how that works server side or even client side? The server gets stream of data, I cant understand how it would randomly execute commands within that stream or how it would execute client side.