PNG Payload Injector is a command-line tool that allows you to embed custom payloads into PNG files and generate corresponding HTML proofs of concept (PoCs). This tool is designed for security testing, educational purposes, and demonstrating certain types of vulnerabilities.
This was a tool that I wrote in PHP back in 2016 after reading a research paper from Adam Logue's blog. Revisiting XSS payloads in PNG IDAT chunks
This tool is for educational and testing purposes only. Do not use it for malicious purposes or against systems you don't own or have explicit permission to test.
- Embed custom payloads (e.g., JavaScript, HTML) into PNG files
- Generate HTML PoCs with the embedded payload
- Customizable PNG dimensions
- Verbose mode for detailed operation logging
- Rust programming language
- Cargo (usually comes with Rust)
You can download precompiled binaries for your operating system from the Releases section on GitHub. Simply download the binary for your platform, extract it, and run the png_payload_injector executable.
-
Clone the repository:
git clone https://github.com/acuciureanu/png-payload-injector.git cd png-payload-injector -
Build the project:
cargo build --release
-
The compiled binary will be available in
target/release/png_payload_injector
Basic syntax:
png_payload_injector -l <PAYLOAD> [OPTIONS]-l, --payload <PAYLOAD>: The payload to embed in the PNG (required)-w, --width <WIDTH>: Width of the PNG image in pixels [default: 66]-e, --height <HEIGHT>: Height of the PNG image in pixels [default: 60]-o, --output-png <OUTPUT_PNG>: Output PNG filename [default: "output.png"]-p, --output-html <OUTPUT_HTML>: Output HTML PoC filename [default: "poc.html"]-v, --verbose: Use verbose output-h, --help: Print help information
-
Embed a simple alert:
png_payload_injector -l "<script>alert('Hello!')</script>" -
Create a custom-sized PNG with verbose output:
png_payload_injector -l "<script>console.log('Test')</script>" -w 100 -e 100 -v -
Specify custom output files:
png_payload_injector -l "<img src=x onerror=alert('XSS')>" -o custom.png -p custom.html
The generated PNG file will appear as a normal image file, but when processed incorrectly by a vulnerable application, it may execute the embedded payload. The HTML PoC demonstrates how the payload could be triggered in a web context.
If you discover vulnerabilities using this tool, please practice responsible disclosure:
- Do not exploit the vulnerability or download unauthorized data.
- Notify the owner or maintainer of the affected system immediately.
- Provide sufficient information for the vulnerability to be reproduced and verified.
- Allow reasonable time for the vulnerability to be patched before public disclosure.
Contributions to improve PNG Payload Injector are welcome. Please feel free to submit pull requests or create issues for bugs and feature requests.
This project is licensed under the MIT License - see the LICENSE file for details.
If you have any questions or concerns, please open an issue in this repository.
Remember to use this tool responsibly and ethically!