File Upload Attacks - Limited File Uploads

Hello!

I’m currently working on the limited file upload section of the File Upload Attacks module and I’m able to get the XSS working but I can’t seem to do anything other then make the alert pop. I’ve tried a few different JS commands to read a file but nothing seems to work. I’ve attempted to use the XXE portion of the section and I can’t get anything to even upload let alone leverage it. Any help would be greatly appreciated!

XXE doesn’t always have to ‘pop’. Sometimes is gets spit back in the source code!
-onthesauce

1 Like

Thanks for the reply! I was actually able to leverage the XXE only after I switched networks. Have you ever heard of a home router filtering requests? I ran into the same issue when I was doing the SQL injections module and I had to use the hotspot on my phone in order to send the SQL payloads.

Hello I’m looking for some information because I have a strange problem.

When I do perform the attack on the pwnbox It’s a success and when I do perform the same thing from my own computer the request is not reaching at all the server.

This is the case of an XXE payload.

Moreover, when I do perform with a XSS payload (alert function) from my computer the request reach the server but it’s very long time.

I don’t understand why the router will intercept and analyze the content since it goes thru a VPN connection

I hugely overcomplicated this one, likely due to my misunderstanding of the vulnerability.

I was not aware that the uploaded svg XXE payload displays in the source on the main upload page.

Try uploading the XXE payloads provided and viewing the source of the same upload page on refresh if you’re having any trouble.

1 Like

Hey i have a problem with the first task.

When im trying to use the following payload for reading the flag the server crashes all the time:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/flag.txt"> ]>
<svg>&xxe;</svg>

Does somebody have the same problem or have another idea to get to the flag ? 

Hi, I have just finished and piece of advice for anyone struggling:

I needed to restart the target many times. I always work on the Pwnbox and I was having a working script that I was sending but for some reason needed to restart it multiple times for it to work. I have restarted it 7 times I think before the same payload worked.

the flag is not in /etc directory, it is in root directory / . You can not read the flag because there is no flag.txt in /etc/ directory. You need to fix the path.