Home

Awesome

PNG-IDAT-Payload-Generator

Generate a PNG with a payload embedded in the IDAT chunk (Based off of previous concepts and code -- credit given below) Additionally, bruteforce payloads matching a regex pattern

This is a Python3, PEP8-compatible, fully-working version of huntergregal's initial project. Rewritten and fixed by https://github.com/TheZ3ro @TheZ3Pro

Update: Added prepopulated payload tables, improved bruteforce speeds, added xqi.cc payload to table

Based Off of Previous Concepts and Research

Usage

usage: generate.py [-h] [-q] -m {xss,php} [-r REMOTE_DOMAIN] -o OUTPUT_IMAGE [-u UPDATE] [-p PAYLOAD] [-t THREADS]

Tool to generate PNG-IDAT Payloads.

options:
  -h, --help            show this help message and exit
  -q, --quiet           Optional: quiet mode
  -m {xss,php}, --method {xss,php}
                        Choose payload method, -h to view available methods
  -r REMOTE_DOMAIN, --remote-domain REMOTE_DOMAIN
                        Remote domain to retrieve payload from (shorter the better: ex. xx.xxx. use xqi.cc for generic XSS)
  -o OUTPUT_IMAGE, --output-file OUTPUT_IMAGE
                        Output payload to PNG file
  -u UPDATE, --update UPDATE
                        Update the payload tables
  -p PAYLOAD, --payload PAYLOAD
                        Use the provided payload - no bruteforce
  -t THREADS, --threads THREADS
                        Number of threads to use for bruteforce

Generic XSS Payload

<img src="https://user-images.githubusercontent.com/6970250/215236480-a05b524a-27b1-4fc7-8ce7-191cd3795747.png" width="250" height="250">

s/o idontplaywithdarts for the domain tip

Concept

  1. Generate PNG payload
  2. Bruteforce hex string that Gzdeflates into target payload
  3. Engineer discovered Gzdeflate string to bypass PNG filters
  4. Generate PNG file with payload embeded in IDAT chunk
  5. Upload PNG payload to vulnerable target web application
  6. Take control of web application response content-type (example: .png.html)

To Do