Exif 隐写术
Exif Smuggling (2025)

原始链接: https://github.com/signalblur/exifsmugglingpoc

这是缓存走私(Cache Smuggling)的一种概念验证演变。该攻击将可执行载荷隐藏在 JPG 的 Exif 数据中。因此,图像缓存(如网页浏览器缓存)可被用于被动下载该载荷。这样一来,示例加载器(chrome_poc.ps1)无需发起任何互联网请求即可获取第二阶段载荷,而是直接从 Chrome 浏览器的缓存中提取。详细信息请参阅:https://malwaretech.com/2025/10/exif-smuggling 将 PowerShell 加载器转换为 ClickFix 命令: python3 build_clickfix_cmd.py --input-file chrome_poc.ps1 --output-file encoded_command.txt --fake-path "C:\test\doc.txt" 将载荷 DLL 嵌入任意 JPG 文件中: python3 exif_smuggling.py --input-file image.jpg --output-file payload.jpg --payload hello_world.dll www/index.html

相关文章

原文

A Proof-of-Concept evolution of Cache Smuggling. This attack conceals an executable payload inside a JPG's Exif data. As a result, image caching (such as that of a Web Browser) can be used to passively download the payload.

As a result, the example loader (chrome_poc.ps1) does not need to make any internet requests to fetch the second stage payload. Instead, it simply extracts it from the Chrome browser's cache.

For full details see: https://malwaretech.com/2025/10/exif-smuggling

Convert PowerShell Loader to ClickFix Command

python3 build_clickfix_cmd.py --input-file chrome_poc.ps1 --output-file encoded_command.txt --fake-path "C:\test\doc.txt"

Embed payload dll inside arbitrary JPG

python3 exif_smuggling.py --input-file image.jpg --output-file payload.jpg --payload hello_world.dll

www/index.html

联系我们 contact @ memedata.com