exiftool / exiftool

ExifTool meta information reader/writer

Home Page:https://exiftool.org/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Syntax Error Trying To Designate file

AshtonFM opened this issue · comments

C:\Users\ashto\Downloads\exiftool-12.39>exiftool -Comment="alert('$message');";} function_alert("Test"); ?>" 2.png
The system cannot find the file specified.

I am trying to make the image run a command through firefox console for a test and I am getting this error because I can't explicitly designate a file to a argument due to windows shell.

The problem appears to be that you are trying to embed double quotes without escaping them. Normally, you can escape a double quote by using a backslash \" or three double quotes """ but for some reason that double quote between the two semicolons is messing things up.

I'd suggest using the -E (-escapeHTML) option and replace the double quotes with "

Example:

C:\>exiftool -Comment="alert('$message');";} function_alert("Test"); >;" -E  Y:\!temp\HashTest\Test.png 
    1 image files updated

C:\>exiftool -G1 -a -s -comment Y:\!temp\HashTest\Test.png
[PNG]           Comment                         : alert('$message');";} function_alert("Test"); >;

The problem appears to be that you are trying to embed double quotes without escaping them. Normally, you can escape a double quote by using a backslash \" or three double quotes """ but for some reason that double quote between the two semicolons is messing things up.

I'd suggest using the -E (-escapeHTML) option and replace the double quotes with "

Example:

C:\>exiftool -Comment="alert('$message');";} function_alert("Test"); >;" -E  Y:\!temp\HashTest\Test.png 
    1 image files updated

C:\>exiftool -G1 -a -s -comment Y:\!temp\HashTest\Test.png
[PNG]           Comment                         : alert('$message');";} function_alert("Test"); >;

That fixed it but I still can't figure out a way to make it execute

That fixed it but I still can't figure out a way to make it execute

That's beyond the scope of exiftool. You'll have to check a forum more related to what you're trying to do. I know this situation pops up on reddit from time to time, but I can't remember what the subreddit is. You might try /r/HowToHack/ /r/HackingSimplified/ or /r/netsec/

Ah alright thanks