• File Upload XSS


    A file upload is a great opportunity to XSS an application. User restricted area with an uploaded profile picture is everywhere, providing more chances to find a developer’s mistake. If it happens to be a self XSS, just take a look at the previous post.

    Basically we have the following entry points for an attack.

    1) Filename

    The filename itself may be being reflected in the page so it’s just a matter of naming the file with a XSS.

    xss-gif-filename

    #hack2learn
    Although not intended, it’s possible to practice this XSS live at W3Schools.

    2) Metadata

    Using the exiftool it’s possible to alter EXIF metadata which may lead to a reflection somewhere:

    $ exiftool -FIELD=XSS FILE

    Example:
    $ exiftool -Artist=’ “><img src=1 onerror=alert(document.domain)>’ brute.jpeg

    exif-brute-collage

    3) Content

    If the application allows the upload of a SVG file extension (which is also an image type), a file with the following content can be used to trigger a XSS:

    <svg xmlns="http://www.w3.org/2000/svg" onload="alert(document.domain)"/>

    A PoC (Proof of Concept) is available live at brutelogic.com.br/poc.svg.

    4) Source

    It’s easy to build a GIF image to carry a javascript payload for use as a source of a script. This is useful to bypass the CSP (Content Security Policy) protection “script-src ‘self’ ” (which doesn’t allow <script>alert(1)</script>, for example) if we are able to successfully inject in the same domain, as shown below.

    xss-gif-source

    To create such an image just use this as content and name it with .gif extension:

    GIF89a/*<svg/onload=alert(1)>*/=alert(document.domain)//;

    The signature of a GIF file, GIF89a, is used as a javascript variable assigned to the alert function. Between them however, there’s a commented XSS vector just in case the image can be retrieved as the text/HTML MIME type, thus allowing payload execution by just requesting the file.

    As we can also see below, the file UNIX-like command along with the PHP functions exif_imagetype() and getimagesize() recognize it as a GIF file. So if an application is using just these to validate the image, the file will be uploaded (but may be sanitized later).

    xss-gif

    For more file types that can have its signature as ASCII characters used for a javascript variable assignment, check this.

    There are more elaborated examples of XSS using image files, usually bypassing filters like the GD library ones. A good example of that is here.

  • 相关阅读:
    【洛谷4657】[CEOI2017] Chase(一个玄学的树形DP)
    Tarjan在图论中的应用(二)——用Tarjan来求割点与割边
    Tarjan在图论中的应用(一)——用Tarjan来实现强连通分量缩点
    jquery放大镜
    自定义上传按钮样式
    一些设计理论资料
    jquery滚动条
    全栈工程师到底有什么用(转)
    巧用CSS文件愚人节恶搞(转)
    仿双色球-随机产生7个数字
  • 原文地址:https://www.cnblogs.com/blacksunny/p/9134264.html
Copyright © 2020-2023  润新知