File Upload Attacks - Skills Assessment

Hello everyone!
I have two doubts regarding this skill assetsment!

By uploading a image/svg+xml file I was able to get both the source code of upload.php and to read /etc/passwd, but when I try to get flag.txt in the root “/” folder it seems that the file does not exist.

Content-Disposition: form-data; name="uploadFile"; filename="flag.svg"
Content-Type: image/svg+xml

<?xml version="1.0"?>
<!DOCTYPE svg [  
<!ENTITY xxe SYSTEM "file:///etc/passwd"> 
<!ENTITY flag SYSTEM "file:///">  

This POST request to upload.php successfully “reads” /etc/passwd. If I add flag.txt in the 2nd entity I get a “500 internal server error” response.

I would love to get an hint :heart_eyes:

When I send this POST request to upload.php

I get this response:

Reading the source of upload.php I cannot find this error (“Image type not recognized”). Where is this coming from?

Thanks everyone :smile:

The file is not called flag.txt :wink: You have to find out the filename.

No idea where this error message comes from, but there is a PHP file included in the file upload.php. Maybe from there?
Maybe the error message also comes from the client side?

But all the information you need is in the upload.php file. Have a look at the upload path and see how the file is renamed during the upload.


I already saw how the file is renamed but I was so sure that the flag file name was flag.txt that I didn’t even try to upload a shell.

Regarding the error, I was using Zap so I think it’s coming from the imported file in upload.php

Thanks again!

Hey, how did you solve it? I’m stuck on the same step. if you can please give me a little bit more of a hint? but no spoilers I want to get it on my own if possible.

In regards to:

Image type not recognized" 200 OK response

, I don’t believe image/svg is a valid content type. The following website has some content types with associated MIME:

No matter what extension(s), content-type I try, I’m can’t seem to get past, “Only images are allowed.” Someone today told me they successfully uploaded the file using shell.phar.jpeg, but it won’t work for me. What am I missing?