webPromedium

Lab 342 — CloudVault — Stored XSS via Malicious SVG Upload

hackadvisor

Task: CloudVault file sharing platform allows SVG uploads served raw with image/svg+xml MIME type; admin bot reviews reported content and has flag in non-HttpOnly cookie. Solution: upload SVG with embedded JavaScript, use same-origin comments API to exfiltrate admin's cookies when bot visits the raw SVG URL.

$ ls tags/ techniques/

file_upload xss javascript stored_xss cookie_stealing admin_bot svg same_origin

svg_script_injectionadmin_bot_exploitationstored_xss_via_file_uploadsame_origin_data_exfiltrationapi_abuse_for_exfilnon_httponly_cookie_theft

Analysis

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.

$ python3 exploit.py --target 192.168.1.1 --port 8080
[*] Connecting to target...
[+] Shell obtained!

Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.

🔒

Permission denied (requires tier.pro)

Sign in to access full writeups

$sign in

$ grep --similar

Similar writeups

[web][Pro]Lab 49 — PixelVault — Stored XSS via Malicious SVG Upload— hackadvisor
[web][Pro]Lab 393 — ShareVault — Stored XSS via File Browser innerHTML— hackadvisor
[web][Pro]Lab 314 — PixVault — ExifTool DjVu RCE via Image Upload— hackadvisor
[web][Pro]Lab 202 — WikiVault — AngularJS Client-Side Template Injection (XSS)— hackadvisor
[web][Pro]Lab 56 — DataPulse — XXE to SSRF via SVG Avatar Upload— hackadvisor