Pixload: Image Payload Creating and Injecting Tools

Last Release: 07/29/2020    

Pixload: Image Payload Creating and Injecting Tools


Pixload is an advanced set of tools that allows you to hide payloads within image files by either creating or injecting the intended payload into the desired image.

Pixload: Image Payload Creating & Injecting Tools

This set of tools has the ability to give you an access to some sophisticated hacking functions. Through it, you can create Polyglot files that can be used to sidestep the standard CSP security procedures by injecting the necessary attack scripts into a given image file. Polyglot files can be very effective when exploiting browsers such as Firefox, IE11, Edge, and Safari.

One of the advantages of this type of exploit is that it can allow you to deploy attack files in the form of JavaScript or image files. The payloads which have been deployed can also be easily extracted without applying any external script during an attack. With Pixload you can also be able to exploit server-side misconfigurations by scripting malicious codes into the available system files.Through GD file manipulation PHP shells can be restructured in the form of PNG and IDAT chunks.


  • Bypassing CSP using polyglot JPEGs
  • Encoding Web Shells in PNG IDAT chunks
  • Hidden malvertising attacks (with Polyglot images)
  • XSS payload revisiting (in PNG and IDAT chunks)
  • XSS Facebook upload (Wonky and PNG content)


  • bmp.pl, gif.pl, jpg.pl, png.pl


  • GD
  • String::CRC32
  • Image::ExifTool


Clone the repo:

$ git clone https://github.com/chinarulezzz/pixload.git
Note: Debian users need to install the following packages:
$ sudo apt install libgd-perl libimage-exiftool-perl libstring-crc32-perl

Pixload Usage Examples

BMP Payload Creator/Injector

Usebmp.pl to create BMP Polyglot image with custom/default payload, or inject payload into existing image:

$ ./bmp.pl [-payload 'STRING'] -output payload.bmp 

If the output file exists, then the payload will be injected into the existing file.  Else the new one will be created. 

GIF Payload Creator/Injector

$ ./gif.pl [-payload 'STRING'] -output payload.gif

JPG Payload Creator/Injector

There are two ways in which you can achieve this:

1. Comment section injection:

$ ./jpg.pl -place COM -output payload.jpg

2. DQT table injection:

$ ./jpg.pl -place DQT -output payload.jpg

PNG Payload Creator/Injector

$ ./png.pl [-payload 'STRING'] -output payload.png
Download Box