First of all, basically we can find an entry similar to the following entry point, I think this is not difficult.
File name method
The file name itself may be reflected on the page so that a file with XSS naming can play an attack.
The use of ExifTool this tool can change the EXIF metadata and then a certain chance to cause some reflection:
$ exiftool -field = XSS FILE
$ exiftool -Artist=’“>’ brute.jpeg
SVG formatIf the application allows uploading files in SVG format (actually an image type), then files with the following content can be used to trigger XSS:
The GIF picture header – GIF89a, as the alert function of the variables assigned to the alert function. But between them, there is a marked XSS variable used to prevent the picture is restored to text / HTML MIME file type, so just send a request for this file payload can be executed.
As we see below, the file class UNIX command and the exif_imagetype() and getimagesize() in the PHP function recognize it as a GIF file. So if an application only uses these methods to verify whether it is an image, then the file will be able to upload successfully (but may be killed after upload).