PNG-IDAT-Payload-Generator: Generate a PNG with a payload embedded in the IDAT chunk

by do son · Published July 19, 2018 · Updated October 10, 2021

PNG-IDAT-Payload-Generator

Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code — credit given below) Additionally, bruteforce payloads matching a regex pattern

##Based Off of Previous Concepts and Research

Adam Logue — https://www.adamlogue.com/revisiting-xss-payloads-in-png-idat-chunks
IDontPlayDarts — https://www.idontplaydarts.com/2012/06/encoding-web-shells-in-png-idat-chunks
fin1te — https://whitton.io/articles/xss-on-facebook-via-png-content-types
Vavkamil — https://github.com/vavkamil/PNG-IDAT-chunks

To bruteforce pattern matches, modify “payloadPatternBruter.py” to meet your needs and run it.

##Concept

Generate PNG payload
Bruteforce hex string that Gzdeflates into target payload
The engineer discovered Gzdeflate string to bypass PNG filters
Generate PNG file with payload embedded in an IDAT chunk
Upload PNG payload to vulnerable target web application
Take control of web application response content-type (example: .png.html)

Download

git clone https://github.com/huntergregal/PNG-IDAT-Payload-Generator.git

Use

usage: generate.py [-h] -m {xss,php} [-r REMOTEDOMAIN] -o OUTPUTIMAGE



Tool to generate PNG-IDAT Payloads.



optional arguments:

  -h, --help            show this help message and exit

  -m {xss,php}, --method {xss,php}

                        Choose payload method, -h to view available methods

  -r REMOTEDOMAIN, --remote-domain REMOTEDOMAIN

                        Remote domain to retrieve payload from (shorter the

                        better: ex. xx.xxx)

  -o OUTPUTIMAGE, --output-file OUTPUTIMAGE

                        Output payload to PNG file

Source: https://github.com/huntergregal/

PNG-IDAT-Payload-Generator: Generate a PNG with a payload embedded in the IDAT chunk

Search

Brilliantly

Content & Links