Syntax Error Trying To Designate file
AshtonFM opened this issue · comments
C:\Users\ashto\Downloads\exiftool-12.39>exiftool -Comment="alert('$message');";} function_alert("Test"); ?>" 2.png
The system cannot find the file specified.
I am trying to make the image run a command through firefox console for a test and I am getting this error because I can't explicitly designate a file to a argument due to windows shell.
The problem appears to be that you are trying to embed double quotes without escaping them. Normally, you can escape a double quote by using a backslash \"
or three double quotes """
but for some reason that double quote between the two semicolons is messing things up.
I'd suggest using the -E
(-escapeHTML
) option and replace the double quotes with "
Example:
C:\>exiftool -Comment="alert('$message');";} function_alert("Test"); >;" -E Y:\!temp\HashTest\Test.png
1 image files updated
C:\>exiftool -G1 -a -s -comment Y:\!temp\HashTest\Test.png
[PNG] Comment : alert('$message');";} function_alert("Test"); >;
The problem appears to be that you are trying to embed double quotes without escaping them. Normally, you can escape a double quote by using a backslash
\"
or three double quotes"""
but for some reason that double quote between the two semicolons is messing things up.I'd suggest using the
-E
(-escapeHTML
) option and replace the double quotes with"
Example:
C:\>exiftool -Comment="alert('$message');";} function_alert("Test"); >;" -E Y:\!temp\HashTest\Test.png 1 image files updated C:\>exiftool -G1 -a -s -comment Y:\!temp\HashTest\Test.png [PNG] Comment : alert('$message');";} function_alert("Test"); >;
That fixed it but I still can't figure out a way to make it execute
That fixed it but I still can't figure out a way to make it execute
That's beyond the scope of exiftool. You'll have to check a forum more related to what you're trying to do. I know this situation pops up on reddit from time to time, but I can't remember what the subreddit is. You might try /r/HowToHack/ /r/HackingSimplified/ or /r/netsec/
Ah alright thanks