File Upload Attacks - Skills Assessment

student · July 8, 2022, 2:07am

Hello everyone!
I have two doubts regarding this skill assetsment!

1st
By uploading a image/svg+xml file I was able to get both the source code of upload.php and to read /etc/passwd, but when I try to get flag.txt in the root “/” folder it seems that the file does not exist.

Content-Disposition: form-data; name="uploadFile"; filename="flag.svg"
Content-Type: image/svg+xml

<?xml version="1.0"?>
<!DOCTYPE svg [  
<!ENTITY xxe SYSTEM "file:///etc/passwd"> 
<!ENTITY flag SYSTEM "file:///">  
]>
<svg>
&xxe;
&flag;
</svg>

This POST request to upload.php successfully “reads” /etc/passwd. If I add flag.txt in the 2nd entity I get a “500 internal server error” response.

I would love to get an hint

2nd
When I send this POST request to upload.php

I get this response:

Reading the source of upload.php I cannot find this error (“Image type not recognized”). Where is this coming from?

Thanks everyone

PayloadBunny · July 8, 2022, 9:20am

The file is not called flag.txt You have to find out the filename.

No idea where this error message comes from, but there is a PHP file included in the file upload.php. Maybe from there?
Maybe the error message also comes from the client side?

But all the information you need is in the upload.php file. Have a look at the upload path and see how the file is renamed during the upload.

student · July 8, 2022, 2:27pm

Thanks!
I already saw how the file is renamed but I was so sure that the flag file name was flag.txt that I didn’t even try to upload a shell.

Regarding the error, I was using Zap so I think it’s coming from the imported file in upload.php

Thanks again!

jydn879 · July 16, 2022, 3:38am

Hey, how did you solve it? I’m stuck on the same step. if you can please give me a little bit more of a hint? but no spoilers I want to get it on my own if possible.

GuyKazuya · February 14, 2023, 8:55pm

In regards to:

Image type not recognized" 200 OK response

, I don’t believe image/svg is a valid content type. The following website has some content types with associated MIME:
https://opensource.apple.com/source/file/file-23/file/magic/magic.mime

benlbs · May 24, 2023, 8:14pm

No matter what extension(s), content-type I try, I’m can’t seem to get past, “Only images are allowed.” Someone today told me they successfully uploaded the file using shell.phar.jpeg, but it won’t work for me. What am I missing?