First of all, have you been able to disclose the upload.php sourcecode?
To be honest, this was the tricky part and I retried it before replying today and it did not work as smoothly as I expected… I had to repeat the upload POST request step by step…
Then, once you got your hands on the upload.php code, you see that actually, this snails.phar.png file should work… I personally used some jpeg file, but still png should work as well according to the filters put in place in the upload.php code.
After lots of errors and trials, it’s because you have to really pay attention to the so-called “magic bytes”…
It is not only about the letters PNG… I tried using an image of a snail, uploaded it and I’ve put the php webshell payload after some of the first bytes of the real snail png image… and it did work!
Actually, some other people did already hint about this… Actually, it is the most popular post of this thread!
I haven’t seen those posts before tackling this problem myself… I had to understand it on my own, but it’s OK, I learned a lot!
According to your copy-paste, you did not leave the correct magic bytes (some of which are “invisible characters” which makes it impossible to even copy-paste as is from your burpsuite repeater’s request window… so much less copy-paste in a post here!
Lessons learned and note my future self: even after solving the challenge, I went back and had to check my notes and see that reproducing steps are not that easy… but I gained some extra experience on that particular point!
So, thank you for asking @Slenderhack !
It took me 1 day to complete the assessment which was a bit frustrating, I thought it was a bug, when I looked the browser still returned the same result repeatedly, at that time I only used burp suite, then it worked perfectly , my conclusion is never just trust your browser to do pentesting especially like chrome, firefox etc, browsers must update to protect their users, utilize burp suite, zap, etc.
You have to first read the .php source code using the svg, then once you have the directory you can use tools such as github.com/artemixer/filepwner to upload the shell
Hi, I saw you succeeded. Can I ask you for a hint please? I can upload a SVG file but all the time in a response I receive the b64 back containg what I sent, but not the php file to move forward. Where am I wrong, that the xxe is not triggered?
`I finally found the flag! First of all, I’d like to give you just some clues, not the actual answer.
` Firstly, you have to take a break for 1 day. I was stuck and, because of that, I was hurrying up and being careless.
` Then, look up the “Limited File Uploads” section again and try those payloads. Then you can find the source code of .php. According to the file, you can reach the uploads folder after that. This is the easiest section - you can find the flag by using the filename that you uploaded ... , and then You can run commands.
I am also stuck here for 2 days, now, my SVG gives me back the base64 of the payload I sent, how did you solve this? I crafted my SVG exactly as shown in the module, replacing the “index.php” with “contact/upload.php”, the SVG element is not being populated with the source code
This took me hours to do and this is how I completed it:
You can find there is an upload.php file when looking at the script.js and in the post request when uploading an image when providing feedback in contact.
You can view the code of upload.php in base64 by using the xml svg vulnerability. When you decode the contents you can view where and how your images are saved. The filename of the file you upload is also changed when you look at the source code of upload.php.
Then upload the php payload that you have used for the previous tasks and with the same double extension. Then visit the file path of your uploaded file and you’ll find the flag after some commands.