说明: 用于利用服务器端SVG处理器的备忘单。 (A cheatsheet for exploiting server-side SVG processors.)
# SVG SSRF Cheatsheet
Hosts that process SVG can potentially be vulnerable to SSRF, LFI, XSS, RCE because of the rich feature set of SVG.
All of these methods specify a URI, which can be absolute or relative. File and HTTP protocol are important to test, but it could also support other protocols depending on the implementation (e.g. PHP stream schemes), including javascript: and data:.
This document contains a list of all the ways I know about to abuse this functionality in SVG.
Note that some services that claim to not accept SVG as an input format actually do with a little coaxing.
* For uploads, send a JPEG/PNG mime type and filename.
* For downloads, have a JPEG/PNG filename and mime type. If refused, check for TOCTOU on the URL (double fetch) and if it follows redirects.
* I haven't seen it but Mime sniffing confusion is probably also possibleMime sniffing confusion as SVG is difficult to sniff because it can start with extra XML garbage. In fact, AFAICT the standard `file` command doesn't include any SVG magic, so it's likely up to the individual implementations.
# Images
SVG can include external images directly via the `` tag.
``` xml
```
Note that you can use this to include *other SVG* images too.
# The `