File Upload Attacks - Skills Assessment

HTB Content Academy
1

Hello everyone!
I have two doubts regarding this skill assetsment!

1st
By uploading a image/svg+xml file I was able to get both the source code of upload.php and to read /etc/passwd, but when I try to get flag.txt in the root “/” folder it seems that the file does not exist.

Content-Disposition: form-data; name="uploadFile"; filename="flag.svg"
Content-Type: image/svg+xml

<?xml version="1.0"?>
<!DOCTYPE svg [  
<!ENTITY xxe SYSTEM "file:///etc/passwd"> 
<!ENTITY flag SYSTEM "file:///">  
]>
<svg>
&xxe;
&flag;
</svg>

This POST request to upload.php successfully “reads” /etc/passwd. If I add flag.txt in the 2nd entity I get a “500 internal server error” response.

I would love to get an hint :heart_eyes:

2nd
When I send this POST request to upload.php

I get this response:

Reading the source of upload.php I cannot find this error (“Image type not recognized”). Where is this coming from?

Thanks everyone :smile:

2

The file is not called flag.txt :wink: You have to find out the filename.

No idea where this error message comes from, but there is a PHP file included in the file upload.php. Maybe from there?
Maybe the error message also comes from the client side?

But all the information you need is in the upload.php file. Have a look at the upload path and see how the file is renamed during the upload.

2 Likes
3

Thanks!
I already saw how the file is renamed but I was so sure that the flag file name was flag.txt that I didn’t even try to upload a shell.

Regarding the error, I was using Zap so I think it’s coming from the imported file in upload.php

Thanks again!
:pray:

4

Hey, how did you solve it? I’m stuck on the same step. if you can please give me a little bit more of a hint? but no spoilers I want to get it on my own if possible.

5

In regards to:

Image type not recognized" 200 OK response

, I don’t believe image/svg is a valid content type. The following website has some content types with associated MIME:
https://opensource.apple.com/source/file/file-23/file/magic/magic.mime

6

No matter what extension(s), content-type I try, I’m can’t seem to get past, “Only images are allowed.” Someone today told me they successfully uploaded the file using shell.phar.jpeg, but it won’t work for me. What am I missing?

1 Like
7

I had the same issue, even files with jpeg image as the mime type was denied but you can use the svg file type to get rce.

8

Thank you. For some reason, I’m still getting “Only images are allowed.” Can you tell if I’m missing something?

I’ve tried several combinations, but I’m still getting the error code:

filename="image.phar.svg

Screen Shot 2023-06-06 at 3.18.42 PM (2)
Screen Shot 2023-06-06 at 3.18.42 PM (2)1920×1080 440 KB

"
Content-Type: image/svg+xml

<?php system($_REQUEST['cmd']); ?>
9

Check your file name again. You haven’t bypassed the extension filter properly.

10

Would you mind giving me any hints on it? I’m a little embarrassed to say I’ve literally tried over 150 combinations of extensions to no avail.

11

There’s no point in putting various php extensions at the end on the filename. The filter behind is probably whitelisting *.jpg or *.png, so that means it’s definitely asking for those two at the end.