Skills Assessment - File Upload Attacks

I stuck on the Skills Assessment - File Upload Attacks.
I don’t find the File Path. Please can someone help me?


I recommend using one of the methods they mentioned to grab the source code of the web functions/pages.

DM me if you need a bigger nudge!

1 Like

I can upload what I want, so far so good. Is there are possibility to get to the source code of the upload script? Doing everything blindly did not give me any result so far.

It is possible, in fact I would say it is crucial. Doing so uncovers important information surrounding the whole process.

I recommend going through the upload process a few times normally and observing how it works. I spent a few minutes just uploading legitimate files to see each step in the process. Although, it sounds like you have done so already. As always feel free to DM me.

1 Like

Can anyone help me? I am block.
I can’t find the file path. :confused:

Have you found a way to get the source code?

Hey! I understand correctly that in order to read the source code you need to download the .svg file and implement XXE? Can’t load svg. What am I doing wrong?

If I remember correctly you need to upload an .svg file that will read you the source code. My memory is fuzzy on this though.

I am stuck on uploading .svg file. How to upload it? is there .svg file bypass methods?

if anyone is having a hard time uploading the svg file to read the source code you can use this script to fuzz for extensions

for ext in ‘.svg’ ‘.php’ ‘.phps’ ‘.php8’ ‘.php7’ ‘.php5’ ‘.php4’ ‘.php3’ ‘.php2’ ‘.pht’ ‘.phar’ ‘.phpt’ ‘.pgif’ ‘.phtml’ ‘.phtm’; do
echo “shell.jpg$ext” >> php_whitelist_wordlist_small.txt
echo “shell$ext.jpg” >> php_whitelist_wordlist_small.txt
echo “shell$ext” >> php_whitelist_wordlist_small.txt

also if you don’t know php very well like me you can use this and run snippets of code,

" echo $variable; " is good to see the output of how they are constructing strings

if anyone is still having a issue you can feel free to dm me