Malicious Metadata Generator & EXIF Forensics Tool
For authorized penetration testing and red team operations only.
βββββββββββ βββββββββββββββββββββ βββ ββββββ βββββββ ββββββββ
ββββββββββββββββββββββββββββββββββββββ ββββββββββββββββββββββββ
ββββββ ββββββ βββββββββ βββββββββββ βββββββββββ βββββββββ
ββββββ ββββββ βββββββββ βββββββββββ βββββββββββ βββββββββ
ββββββββββββ βββββββββ βββββββββββββββββββ βββββββββββββββββββ
βββββββββββ βββββββββ βββββββ βββββββββββ ββββββββββ ββββββββ
ExifBlade is a command-line tool for metadata forensics and EXIF injection testing. It has two main purposes:
- Red Team / Offensive β Generate files with weaponized metadata (XSS, SQLi, SSTI, XXE, LFI, RFI payloads) to test if web applications improperly process file metadata.
- Blue Team / Forensics β Extract and deep-scan metadata from files to detect hidden or suspicious embedded content.
| Format | Extract | Inject | Wipe | Generate |
|---|---|---|---|---|
| JPG/JPEG | β | β | β | β |
| PNG | β | β | β | β |
| β | β | β | β | |
| DOCX | β | β | β | β |
| MP3 | β | β | β | β |
git clone https://github.com/incrediblehacker/exifblade
cd exifblade
pip install -r requirements.txtExtract all hidden metadata from any file:
# Standard scan
python exifblade.py extract -f photo.jpg
# Deep scan (detects JS, macros, external links, suspicious patterns)
python exifblade.py extract -f document.pdf --deep
# Save output to file
python exifblade.py extract -f photo.jpg --out results.txt
# JSON output
python exifblade.py extract -f photo.jpg --jsonWhat it detects:
- GPS coordinates (real-world location)
- Author, device, software information
- Hidden timestamps and creation dates
- Embedded XSS / SQLi / SSTI / XXE patterns (auto-flagged π¨)
- Embedded JavaScript in PDFs
- Macros and VBA content in DOCX files
- External link references in Office documents
Inject attack payloads into image metadata fields:
# Inject XSS payload
python exifblade.py inject -f photo.jpg --xss
# Inject SQLi payload
python exifblade.py inject -f photo.jpg --sqli
# Inject SSTI payload
python exifblade.py inject -f photo.jpg --ssti
# Inject XXE payload
python exifblade.py inject -f photo.jpg --xxe
# Custom payload into specific field
python exifblade.py inject -f photo.jpg --payload "<script>alert(1)</script>" --field Comment
# Spoof metadata (author, software, GPS, date)
python exifblade.py inject -f photo.jpg --author "John Smith" --software "iPhone 14" --gps --lat 51.5074 --lon -0.1278 --date "2020:06:15 09:30:00"
# Combine multiple payloads + spoofing
python exifblade.py inject -f photo.jpg --xss --sqli --gps --author "admin" -o evil_output.jpgAvailable EXIF fields for injection:
Comment, Artist, Copyright, Software, Make, Model, Description
Strip all metadata from a file (anonymization):
python exifblade.py wipe -f photo.jpg
python exifblade.py wipe -f photo.jpg -o clean_photo.jpg
python exifblade.py wipe -f document.docx -o clean_doc.docxCreate test files with pre-embedded payloads:
# Generate JPG with all payload types
python exifblade.py generate --type jpg --payload all --out evil.jpg
# Generate PDF with XSS payloads
python exifblade.py generate --type pdf --payload xss --out evil.pdf
# Generate DOCX with SQLi payloads
python exifblade.py generate --type docx --payload sqli --out evil.docx
# Generate MP3 with SSTI payloads
python exifblade.py generate --type mp3 --payload ssti --out evil.mp3
# Custom payload
python exifblade.py generate --type jpg --custom "{{7*7}}" --out ssti_test.jpgAvailable payload types: xss, xxe, sqli, ssti, cmd, lfi, rfi, all
Many web apps display EXIF data (author name, camera model) without sanitization.
# Generate weaponized image
python exifblade.py generate --type jpg --payload xss --out test_upload.jpg
# Upload to target, check if XSS fires when app displays metadata# Deep scan to find hidden info, GPS, suspicious strings
python exifblade.py extract -f suspicious.jpg --deep --json --out report.json# Spoof timestamps and GPS on image (authorized forensics lab testing only)
python exifblade.py inject -f evidence.jpg --date "2019:03:21 14:22:00" --gps --lat 40.7128 --lon -74.0060python exifblade.py generate --type pdf --payload all --out test.pdf
python exifblade.py extract -f test.pdf --deepExifBlade's --deep flag auto-flags these patterns in metadata:
| Category | Patterns Detected |
|---|---|
| XSS | <script>, onerror=, javascript:, svg onload |
| SQLi | OR '1'='1, UNION SELECT, DROP TABLE |
| SSTI | {{, }}, ${, <%= %> |
| XXE | <!ENTITY, SYSTEM, file:/// |
| LFI | ../, ..\\, /etc/passwd |
| CMD | |whoami, ;id;, `id` |
| Post-Ex | powershell, base64, exec( |
exifblade/
βββ exifblade/ # Main package
β βββ core/ # Modular logic (extractor, injector, etc.)
β βββ cli.py # Click-based CLI entry point
β βββ engine.py # Central orchestrator
β βββ formatters.py # Rich terminal output styling
β βββ menu.py # Interactive TUI menu
β βββ models.py # Data models (dataclasses)
βββ install.sh # Global installation script
βββ main.py # Root entry point
βββ pyproject.toml # Modern packaging & dependencies
βββ README.md
ExifBlade is developed for authorized penetration testing, CTF challenges, and security research only.
Unauthorized use against systems you do not own or have explicit permission to test is illegal.
The author is not responsible for any misuse of this tool.
0xfaizan β github.com/incrediblehacker
Ethical Hacking | Red Team | AI Security
MIT License β see LICENSE