Actually, some other people did already hint about this… Actually, it is the most popular post of this thread!
I haven’t seen those posts before tackling this problem myself… I had to understand it on my own, but it’s OK, I learned a lot!
According to your copy-paste, you did not leave the correct magic bytes (some of which are “invisible characters” which makes it impossible to even copy-paste as is from your burpsuite repeater’s request window… so much less copy-paste in a post here!
Lessons learned and note my future self: even after solving the challenge, I went back and had to check my notes and see that reproducing steps are not that easy… but I gained some extra experience on that particular point!
So, thank you for asking @Slenderhack !
It took me 1 day to complete the assessment which was a bit frustrating, I thought it was a bug, when I looked the browser still returned the same result repeatedly, at that time I only used burp suite, then it worked perfectly , my conclusion is never just trust your browser to do pentesting especially like chrome, firefox etc, browsers must update to protect their users, utilize burp suite, zap, etc.
You have to first read the .php source code using the svg, then once you have the directory you can use tools such as github.com/artemixer/filepwner to upload the shell
Hi, I saw you succeeded. Can I ask you for a hint please? I can upload a SVG file but all the time in a response I receive the b64 back containg what I sent, but not the php file to move forward. Where am I wrong, that the xxe is not triggered?
`I finally found the flag! First of all, I’d like to give you just some clues, not the actual answer.
` Firstly, you have to take a break for 1 day. I was stuck and, because of that, I was hurrying up and being careless.
` Then, look up the “Limited File Uploads” section again and try those payloads. Then you can find the source code of .php. According to the file, you can reach the uploads folder after that. This is the easiest section - you can find the flag by using the filename that you uploaded ... , and then You can run commands.
I am also stuck here for 2 days, now, my SVG gives me back the base64 of the payload I sent, how did you solve this? I crafted my SVG exactly as shown in the module, replacing the “index.php” with “contact/upload.php”, the SVG element is not being populated with the source code
This took me hours to do and this is how I completed it:
You can find there is an upload.php file when looking at the script.js and in the post request when uploading an image when providing feedback in contact.
You can view the code of upload.php in base64 by using the xml svg vulnerability. When you decode the contents you can view where and how your images are saved. The filename of the file you upload is also changed when you look at the source code of upload.php.
Then upload the php payload that you have used for the previous tasks and with the same double extension. Then visit the file path of your uploaded file and you’ll find the flag after some commands.
hi im able to discover de scripts and upload my shell but how to execute the comands , i put like this
94.237.60.159:56429/contact/user_feedback_submissions/250208_cobra.pht.jpg?cmd=id
, my conclusion is never just trust your browser to do pentesting especially like chrome, firefox etc, browsers must update to protect their users, utilize burp suite, zap, etc.