SSRF Via Image Upload

After thoroughly inspecting and exploring the website, I found the function responsible for changing the profile picture. This is one of my favorite functions because it can lead to the discovery of multiple vulnerabilities.

The first thing I attempted was uploading a shell.php file instead of a profile picture. However, I couldn’t obtain a shell despite trying again and using every bypass technique I knew. In the end, I was unsuccessful.

At that point, I didn’t give up. Instead, I took a few hours to rest due to my continuous effort to get the shell.

Afterward, I tried uploading an image in SVG format, and it worked. The website accepted images in this format. At that moment, I thought of three potential vulnerabilities I could exploit: XXE, Stored XSS, Open redirect and SSRF.

I first tried to find an XXE vulnerability, but unfortunately, I couldn’t exploit it either.
Then I proceeded to find a Stored XSS vulnerability and successfully discovered it. You can find the report on my profile. :)

Next, I started searching for an SSRF vulnerability. I uploaded the SVG image, intercepted the request, injected my payload,

and completed the image upload process. Then I opened the image I had uploaded in a new tab.

And BOOOOOOOOOOOOOOOOOOM!

I successfully triggered SSRF.