File Upload Attacks - Skills Assessment

Hello everyone!
I have two doubts regarding this skill assetsment!

1st
By uploading a image/svg+xml file I was able to get both the source code of upload.php and to read /etc/passwd, but when I try to get flag.txt in the root “/” folder it seems that the file does not exist.

Content-Disposition: form-data; name="uploadFile"; filename="flag.svg"
Content-Type: image/svg+xml

<?xml version="1.0"?>
<!DOCTYPE svg [  
<!ENTITY xxe SYSTEM "file:///etc/passwd"> 
<!ENTITY flag SYSTEM "file:///">  
]>
<svg>
&xxe;
&flag;
</svg>

This POST request to upload.php successfully “reads” /etc/passwd. If I add flag.txt in the 2nd entity I get a “500 internal server error” response.

I would love to get an hint :heart_eyes:

2nd
When I send this POST request to upload.php

I get this response:

Reading the source of upload.php I cannot find this error (“Image type not recognized”). Where is this coming from?

Thanks everyone :smile:

The file is not called flag.txt :wink: You have to find out the filename.

No idea where this error message comes from, but there is a PHP file included in the file upload.php. Maybe from there?
Maybe the error message also comes from the client side?

But all the information you need is in the upload.php file. Have a look at the upload path and see how the file is renamed during the upload.

1 Like

Thanks!
I already saw how the file is renamed but I was so sure that the flag file name was flag.txt that I didn’t even try to upload a shell.

Regarding the error, I was using Zap so I think it’s coming from the imported file in upload.php

Thanks again!
:pray:

Hey, how did you solve it? I’m stuck on the same step. if you can please give me a little bit more of a hint? but no spoilers I want to get it on my own if possible.