WolfCore CTF | Part 2 | XSS via SVG Upload, XXE Injection & Path Traversal

Added: 2026-05-05

[00:00:02]Hi everyone, welcome back to Wolf course CTF series part two. If you have missed part one, this is a intentionally vulnerable social media platform I designed to simulate real world penetration testing and each vulnerabilities are standalone. That means they are not chained but still I highly recommend you to watch part one before watching part two. In in part two we are going to cover three more vulnerabilities. The first one is going to be XSS by uploading a SVG file in the chat section. And second one is going to be XSE injection by importing a XML file. And last one is going to be path travel. So let's dive in. So the first vulnerability that we could look into is XSS by uploading SVG file. SVG file supports JavaScript through script tag or an event handler like onload. If the server serves the uh the an uploaded SVG file with SVG content type, the browser execute whatever in it and the web the web apps chat feature doesn't sanize the uh SVG files at all. So in order to do that first we have to login.

[00:01:18]Uh, I'm going to use my own account and it's term domcco.com and the password is term123 and go to messages and I'm going to chat with Bob.

[00:01:39]The first payload that we're going to use is uh let me just show you the code of it.

[00:01:46]It's code just city desktop.

[00:02:08]This is this is our first payload that we are going to use.

[00:02:13]And when you upload this payload, you can see a pop-up message which is your it's going to be your cookie and open this SVG file and you can see your uh cookie over here in if you have seen our last video you have seen how we used stored XSS to take over an account or steal cookie. So in order to do that with an SVG file, what we can do is that we can use another payload. And in order to do that, this is our payload that we are going to use. And first we have to start uh start a uh ngroc server or like a python server. First we have to start a python server. So I'm going to use python 3 minus m https server and we have to uh expose our server to the internet. For that we have to use ngro http 800.

[00:03:41]This is our URL that we are going to use.

[00:04:01]replace the old URL with our new URL that we got from the NGO.

[00:04:17]save it and upload the file.

[00:04:32]So when you click this SVG file, you uh you can see our cookie on our Python. So yeah, you can see our cookie over here.

[00:04:44]and we are going to steal uh Bob's cookie. So, in order to do that, I'm going to open a new browser. So, I'm going to open with Google Chrome and uh bob at and the password is Bob 23.

[00:05:18]So, so if Bob click this uh payload or this SVG file, we we can steal his cookie.

[00:05:28]So, we got Bob's cookie over here.

[00:05:46]So if you have seen our previous video, we use a cool tool called uh cookie editor. So we are going to use the same over here. Here I'm using Tom's account.

[00:05:56]You can as you can see and I'm going to go to the dashboard and replace the cookie our cookie with Bob's cookie. So like section ID. So save the section ID and refresh the page.

[00:06:16]Now we log in with Bob's account. And the next formula that we're going to look into is XSC injection. So XSC or XML external entity injection tricks the XML parcel into reading the local files on a server by embedding a reference to them inside a XML. So in this chat apps uh or in this social medias has a feature uh called import data and it has entity expression enabled. So that's exactly what it make it vulnerable. So in order to do this uh I'm going to go to dashboard and you can see a feature called import uh data.

[00:07:05]Uh yeah. So the payload that I'm going to use is we don't need this anymore.

[00:07:20]post those tabs and uh no x.

[00:07:29]So this is the payload that I'm going to use and we are going to read uh pass WD files and if you want to change read any other files you can change it from here you can have you can uh replace it with shadow file or whatever you want and we don't need this tab anymore. So yeah, uh I'm going to upload the file and import data. Now you can see that we can see uh pass WD file over here. And if you go to our uh profile, you can see it over there too.

[00:08:12]Oh yeah, over here.

[00:08:17]So the next one that we are going to look into is path proell. So path proell let an attacker to use dot dot / sequence in a uh file path parameter to escape from an intended uh directory and read arbitary files and the web apps aars_.php PHP uh takes the parameter and serves with no checks on whatever it points to. So in order to exploit this vulnerability, what we can do is that uh open the to a new tab and replace this one with dot dot SL uh slash dot slash And uh at the end we can use a known directory. So we already know uh etc/pass wd will be there. So we are going to use that and we can see we are able to read the file.

[00:09:35]So that's part two. Here you have seen how you can use an SVG file to do XSS.

[00:09:43]Then XSE pull pulling servers files through a document parcel and part traverses through a single unsanitized parameter. So in part three you are going to see other vulnerabilities in the same CTF. So see you soon.